In this patch
Bugs leading to code execution
- CVE-2012-0751 - Resolves a memory corruption flaw (Windows ActiveX control only).
- CVE-2012-0752 - Patches a type confusion memory corruption flaw.
- CVE-2012-0753 - Fixes an MP4 parsing memory corruption flaw.
- CVE-2012-0754 - Patches a memory corruption flaw.
- CVE-2012-0755 - Resolves a security bypass flaw.
- CVE-2012-0756 - Fixes a security bypass flaw.
- CVE-2012-0767 - Resolves a universal cross-site scripting flaw.
Adobe has released an out-of-cycle patch for Flash Player to address a zero-day vulnerability that it believes might be exploited in the wild. Seven critical vulnerabilities have been fixed, according to an Adobe security bulletin released February 15.
The Flash Player update patches a universal cross-site scripting (XSS) vulnerability that may allow attackers to potentially take actions on a user’s behalf, if the user visits a malicious website. According to Adobe’s advisory, this vulnerability is reportedly being exploited in the wild using a link delivered via email (Internet Explorer on Windows only). In addition, the patch fixes four memory corruption bugs and two security bypass vulnerabilities that may be used for remote code execution exploits.
Adobe recommends that users of Adobe Flash Player for Windows, Macintosh, Linux and Solaris, v220.127.116.11 and earlier, update to Adobe Flash Player v18.104.22.168. Flash Player v22.214.171.124 for Android 4.x may be updated to v126.96.36.199. Flash Player v188.8.131.52 and earlier for Android 3.x and earlier versions should updated to v184.108.40.206.
This update follows hot on the heels of Adobe’s Shockwave Player update released hours before Microsoft’s February patch on Tuesday. These critical vulnerabilities do not affect other Adobe products (Reader and Acrobat), as has been the case with previous Flash bugs.