The latest revision of Adobe Flash Player incorporates a set of 18 security fixes, all for critical vulnerabilities; most of them (15) would allow a potential attacker to execute arbitrary code on the affected machine.
Previous versions of the software are susceptible to glitches ranging from memory corruption, use-after-free and heap buffer overflow to double free, information disclosure and permission issues.
Exploiting some of them would give an attacker the possibility to gain elevated privileges or access to session tokens.
According to the security bulletin from Adobe, in the case of two weaknesses (CVE-2014-8442 and CVE-2014-0583), malicious actors could increase their privileges on the impacted system from low to medium integrity level.
Their discovery has been attributed to Haifei Li of McAfee Labs IPS Team (CVE-2014-0583) and researchers Behrang Fouladi and Axel Souchet of Microsoft Vulnerability Research.
Other contributors to the increased security of the latest Flash Player are from Google’s Project Zero (Ian Beer, Natalie Silvanovich, Tavis Ormandy and Chris Evans), Venustech ADLAB, TrendMicro, and Chinese company KnowSec.
The browser plug-in is updated automatically in Google Chrome, where it is synonymous with a version bump. The same can be said in the case of Internet Explorer, which receives the update through the built-in mechanism in Windows.
The desktop release can also be updated automatically if the feature has been turned on in the client.