Multiple vulnerabilities in Adobe Flash Player and AIR could allow an unauthenticated, remote attacker to execute arbitrary code, gain elevated privileges, or access sensitive information.
This update resolves 15 vulnerabilities that could lead to arbitrary code execution and one information disclosure vulnerability that an attacker could exploit to access sensitive information. In addition, this update also addresses one vulnerability as well as one issue that could allow an attacker to gain elevated privileges. An unauthenticated, remote attacker could exploit the vulnerabilities by persuading a user to visit a malicious web page that contains crafted Flash content. If successful, the attacker could execute arbitrary code that could result in a complete system compromise, gain elevated privileges, or access sensitive information.
The following Adobe products are vulnerable:
- Adobe Flash Player versions 18.104.22.168 and prior and 22.214.171.124 and prior for Windows and Macintosh
- Adobe Flash Player for Linux versions 126.96.36.1991 and prior
- Adobe AIR Desktop Runtime versions 188.8.131.523 and prior
- Adobe AIR SDK versions 184.108.40.2062 and prior
- Adobe AIR SDK and Compiler versions 220.127.116.112 and prior
- Adobe AIR versions 18.104.22.1683 and prior for Android
Adobe has released a security bulletin at the following link: APSB14-24
. Adobe has released updated software at the following links:
Adobe Flash Player installed with Google Chrome and Microsoft Internet Explorer 10 and 11 can be updated by implementing the latest updates to the respective browsers.
Red Hat has released a security advisory for bug 1162911 at the following link: RHSA-2014-1852.
Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.
Administrators are advised to apply the appropriate updates.
Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.
Administrators can apply Snort SID 32543 to help prevent attacks that attempt to exploit this vulnerability.
Administrators are advised to monitor affected systems.