Multiple vulnerabilities in Adobe Flash Player and AIR could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
This update resolves a stack overflow vulnerability, a memory leak vulnerability, and a double free vulnerability. An unauthenticated, remote attacker could exploit these vulnerabilities by persuading a user to visit a malicious web page that contains crafted Flash content. If successful, the attacker could execute arbitrary code on the system, which could result in a complete system compromise.
Adobe is aware that CVE-2014-0502 is currently being exploited in the wild.
The following Adobe products are vulnerable:
- Adobe Flash Player for Windows and Macintosh versions 18.104.22.168 and prior
- Adobe Flash Player for Linux versions 22.214.171.1246 and prior
- Adobe AIR for Android versions 126.96.36.1990 and prior
- Adobe AIR version 188.8.131.520 SDK and Compiler and prior versions
Adobe has released a security bulletin at the following link: APSB14-07
. Adobe has released updated software at the following links:
Red Hat has released official CVE statements and a security advisory for bug 1067656 at the following links: CVE-2014-0498, CVE-2014-0499, CVE-2014-0502, and RHSA-2014:0196
Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.
- Adobe Flash Player 184.108.40.206 for Windows and Macintosh
- Adobe Flash Player 220.127.116.116 for Linux
- Adobe AIR 18.104.22.1688 for Android
- Adobe AIR version 22.214.171.1248 SDK & Compiler
- Adobe Flash Player for Google Chrome and Microsoft Internet Explorer 10 and 11 users can be updated by implementing the latest updates to the respective browsers.
Administrators are advised to apply the appropriate updates.
To exploit the vulnerabilities, the attacker may provide a link that directs a user to a malicious site and use misleading language or instructions to persuade the user to follow the provided link.