Adobe Systems Inc. repaired 20 vulnerabilities in its Shockwave Player in a critical update issued late Tuesday that blocks attackers from remotely exploiting the flaws.
The holes were identified in Adobe Shockwave Player 18.104.22.1689 running on Microsoft Windows and Apple Mac OS X. Adobe said it knew of no ongoing attacks against the flaws in the wild. The update repairs more than a dozen memory corruption vulnerabilities and several denial-of-service flaws.
Adobe Shockwave Player is used as a plug-in in hundreds of millions of Web browsers and has been a favorite target of attackers in recent years. In a recent interview, Brad Arkin, senior director of product security and privacy at Adobe, said the company has been increasing its transparency on its software security processes and investing in ways to better protect users from attacks. The majority of users that fall victim to attacks fail to keep the software up to date, he said.
Adobe said some of the flaws corrected in the latest update enable an attacker to execute code remotely, gain access to system files and take control of an affected computer.
"The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system," Adobe said in its Shockwave Player security bulletin. "Adobe categorizes this as a critical update and recommends that users apply the update for their product installations."
Adobe said users should upgrade to Shockwave Player 22.214.171.1242. The company credited the finds to a number of researchers, including several anonymous submissions to TippingPoint's Zero Day Initiative and VeriSign's iDefense Labs Vulnerability Contributor Program.