Adobe Systems has released security patches for its Flash Player, Reader and Acrobat products, addressing a total of eight vulnerabilities, including one that is being exploited by attackers.
The actively exploited flaw affects Adobe Reader and was found by researchers from antivirus vendor Kaspersky Lab. The flaw was being used in isolated attacks, they said.
“At the moment, we are not providing any details on these attacks as the investigation is still ongoing,” said Costin Raiu, director of Kaspersky’s global research and analysis team, in a blog post. “Although these attacks are very rare, just to stay on the safe side we recommend everyone to get the update from the Adobe site as soon as possible.”
The vulnerability allows attackers to escape the sandbox protection of Reader and Acrobat X and XI in order to execute code with elevated privileges on the Windows platform. Adobe addressed the flaw in the newly released 11.0.08 and 10.1.11 versions of the two products.
The company also released new versions of Flash Player for Windows, Mac and Linux, as well as updates for the Adobe AIR framework, its SDK (software development kit) and compiler.
The Flash Player and AIR updates address seven vulnerabilities, one of which can result in remote code execution. Five of the remaining vulnerabilities can be used to bypass memory address randomization, a mechanism designed to make exploitation harder, and one can be used to bypass other security restrictions.
The Flash Player versions bundled with Google Chrome, Internet Explorer 10 for Windows 8 and Internet Explorer 11 for Windows 8.1 will be updated automatically through those browsers. Users of Flash Player and earlier Internet Explorer versions on Windows should upgrade to version 14.0.0.176 and Firefox users should upgrade to version 14.0.0.179. Mac users should upgrade to version 14.0.0.176 and Linux users to version 11.2.202.400.
Adobe AIR users on Windows and Mac should upgrade to version 14.0.0.178 while Android users should upgrade to AIR 14.0.0.179, Adobe said in a security advisory.