In this patch
Bugs leading to code execution
- CVE-2012-0751 - Resolves a memory corruption flaw (Windows ActiveX control only).
- CVE-2012-0752 - Patches a type confusion memory corruption flaw.
- CVE-2012-0753 - Fixes an MP4 parsing memory corruption flaw.
- CVE-2012-0754 - Patches a memory corruption flaw.
- CVE-2012-0755 - Resolves a security bypass flaw.
- CVE-2012-0756 - Fixes a security bypass flaw.
- CVE-2012-0767 - Resolves a universal cross-site scripting flaw.
Adobe has released an out-of-cycle patch for Flash Player to address a zero-day vulnerability that it believes might be exploited in the wild. Seven critical vulnerabilities have been fixed, according to an Adobe security bulletin released February 15.
The Flash Player update patches a universal cross-site scripting (XSS) vulnerability that may allow attackers to potentially take actions on a user’s behalf, if the user visits a malicious website. According to Adobe’s advisory, this vulnerability is reportedly being exploited in the wild using a link delivered via email (Internet Explorer on Windows only). In addition, the patch fixes four memory corruption bugs and two security bypass vulnerabilities that may be used for remote code execution exploits.
Adobe recommends that users of Adobe Flash Player for Windows, Macintosh, Linux and Solaris, v18.104.22.168 and earlier, update to Adobe Flash Player v22.214.171.124. Flash Player v126.96.36.199 for Android 4.x may be updated to v188.8.131.52. Flash Player v184.108.40.206 and earlier for Android 3.x and earlier versions should updated to v220.127.116.11.
This update follows hot on the heels of Adobe’s Shockwave Player update released hours before Microsoft’s February patch on Tuesday. These critical vulnerabilities do not affect other Adobe products (Reader and Acrobat), as has been the case with previous Flash bugs.