Adobe released updates for Flash Player that fix two vulnerabilities that could allow attackers to bypass security controls in the software.
One of the vulnerabilities, tracked as CVE-2014-0504, can be exploited to read the contents of a computer’s clipboard, the short-term data storage feature of the OS where information is kept during copy and paste operations. The second vulnerability, identified as CVE-2014-0503, could be exploited to bypass the browser’s same-origin policy, an important security feature that prevents resources loaded from different domain names from interacting with each other.
The security updates released by the company Tuesday are Flash Player 18.104.22.168 for Windows and Mac and Flash Player 22.214.171.1246 for Linux. The Flash Player plug-ins distributed with Chrome, Internet Explorer 10 on Windows 8 and Internet Explorer 11 on Windows 8.1 will be automatically updated to version 126.96.36.199 through the respective update mechanisms of those browsers.
Adobe rated the newly patched vulnerabilities as important, not critical, because they don’t allow remote code execution.
The absence of critical fixes in Flash Player updates is somewhat uncommon, but in this case, it is likely because Adobe was forced to release an out-of-band emergency update on Feb. 20 to address a zero-day vulnerability that was being actively exploited in targeted attacks. The company also took that occasion to fix two other critical vulnerabilities that had been privately reported.