Multiple vulnerabilities in Adobe Flash Player and AIR could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
This update resolves a stack overflow vulnerability, a memory leak vulnerability, and a double free vulnerability. An unauthenticated, remote attacker could exploit these vulnerabilities by persuading a user to visit a malicious web page that contains crafted Flash content. If successful, the attacker could execute arbitrary code on the system, which could result in a complete system compromise.
Adobe is aware that CVE-2014-0502 is currently being exploited in the wild.
The following Adobe products are vulnerable:
- Adobe Flash Player for Windows and Macintosh versions 184.108.40.206 and prior
- Adobe Flash Player for Linux versions 220.127.116.116 and prior
- Adobe AIR for Android versions 18.104.22.1680 and prior
- Adobe AIR version 22.214.171.1240 SDK and Compiler and prior versions
Adobe has released a security bulletin at the following link: APSB14-07
. Adobe has released updated software at the following links:
Red Hat has released official CVE statements and a security advisory for bug 1067656 at the following links: CVE-2014-0498, CVE-2014-0499, CVE-2014-0502, and RHSA-2014:0196
Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.
- Adobe Flash Player 126.96.36.199 for Windows and Macintosh
- Adobe Flash Player 188.8.131.526 for Linux
- Adobe AIR 184.108.40.2068 for Android
- Adobe AIR version 220.127.116.118 SDK & Compiler
- Adobe Flash Player for Google Chrome and Microsoft Internet Explorer 10 and 11 users can be updated by implementing the latest updates to the respective browsers.
Administrators are advised to apply the appropriate updates.
To exploit the vulnerabilities, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.