Adobe patches Flash dirty dozen, ignores 155 in Shockwave shocker
Sixteen code execution holes closed
Adobe has patched nearly two dozen vulnerabilities in its Flash player including 16 that lead to code execution but is still serving flawed versions with hundreds of holes as part of its Shockwave bundle.
The Flash vulnerabilities patched yesterday affect Windows, Mac, and Linux as part of the version 19.x updates.
It addresses code execution flaws resulting from buffer overflow vulnerabilities, memory corruption, and stack and stack overflow corruption.
Some of the 23 fixes include information disclosure, an update to harden against vector length corruptions, and validation checks to reject content from vulnerable JSONP callback APIs.
Google's Project Zero, HP's Zero Day Initiative, and Alibaba were among those security shops credited with discovering and reporting the holes.
While users running Flash should receive automatic updates, those grabbing clean installations of bundled Shockwave will risk having deployed severely outdated versions of the ravaged runtime.
The bundled Adobe Shockwave is serving Flash versions dating back to 126.96.36.1995 released Feburary and containing a staggering 155 vulnerabilities, according to KrebsonSecurity.
Installation tests by this author on Windows 10 found Shockwave had installed version 18, released June.
Both borked versions would leave users open to dangerous attacks including some code execution holes being actively exploited in popular attack tools like the Angler exploit kit.
It's not all bad news for Flash lovers; the latest update introduces shiny features like AIR Workers for iOS, better Stage3D error messages, and bug fixes. ®