Adobe Flash patches zero-day XSS, 6 critical vulnerabilities

Ships patch for Adobe Flash Player zero-day XSS bug as well as six critical bugs in out-of-cycle update.

In this patch

Bugs leading to code execution

  • CVE-2012-0751 - Resolves a memory corruption flaw (Windows ActiveX control only).
  • CVE-2012-0752 - Patches a type confusion memory corruption flaw.
  • CVE-2012-0753 - Fixes an MP4 parsing memory corruption flaw.
  • CVE-2012-0754 - Patches a memory corruption flaw.
  • CVE-2012-0755 - Resolves a security bypass flaw.
  • CVE-2012-0756 - Fixes a security bypass flaw.

Other bug-fixes

  • CVE-2012-0767 - Resolves a universal cross-site scripting flaw.

Adobe has released an out-of-cycle patch for Flash Player to address a zero-day vulnerability that it believes might be exploited in the wild. Seven critical vulnerabilities have been fixed, according to an Adobe security bulletin released February 15.

The Flash Player update patches a universal cross-site scripting (XSS) vulnerability that may allow attackers to potentially take actions on a user’s behalf, if the user visits a malicious website. According to Adobe’s advisory, this vulnerability is reportedly being exploited in the wild using a link delivered via email (Internet Explorer on Windows only). In addition, the patch fixes four memory corruption bugs and two security bypass vulnerabilities that may be used for remote code execution exploits.

Adobe recommends that users of Adobe Flash Player for Windows, Macintosh, Linux and Solaris, v11.1.102.55 and earlier, update to Adobe Flash Player v11.1.102.62. Flash Player v11.1.112.61 for Android 4.x may be updated to v11.1.115.6. Flash Player v11.1.111.5 and earlier for Android 3.x and earlier versions should updated to v11.1.111.6.

This update follows hot on the heels of Adobe’s Shockwave Player update released hours before Microsoft’s February patch on Tuesday. These critical vulnerabilities do not affect other Adobe products (Reader and Acrobat), as has been the case with previous Flash bugs.

Read more on Data breach incident management and recovery