Adobe Systems has issued a sizeable security update with patches for 36 vulnerabilities, at least one of which is currently under attack in the wild.
The most critical flaw, CVE-2015-5119, could lead to code execution, as Adobe’s accompanying Bulletin states: “These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit targeting CVE-2015-5119 has been publicly published.”
PC World reports that the flaw has already been integrated into three commercial exploit kits: Angler, Neutrino and Nuclear Pack.
It’s been reported that the flaw was included in the 400GB dump that hackers claim was stolen from the “Hacking Team” security company. As We Live Security reported recently, in spite of the claims, it has yet to to be proven that this data is legitimate.
The other updates include fixes that resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118), and updates that resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134,CVE-2015-4431).
Adobe’s Flash Player updates are available for Mac, Windows and Linux. Flash users running Mac OS X and Windows computers should update to Adobe Flash Player 18.0.0.203 (15.6 MB) immediately to avoid potential attacks. Linux users should update to Flash Player 11.2.202.481.
It's been a difficult six months for Adobe's security team, which already had to patch a string of serious vulnerabilities earlier this year.
