Adobe Ships Fixes for Flash, ColdFusion and Shockwave in April Patch Release

Type threatpost
Reporter Brian Donohue
Modified 2013-05-08T20:16:54


Flash patchesAdobe patchesAdobe published its monthly security bulletins today, pushing out updates that address issues in the company’s ColdFusion platform as well as its Flash and Shockwave Players.

The first bulletin provides a hotfix for Adobe’s ColdFusion platform, resolving anonymously reported flaws that could allow attackers to impersonate authenticated users or gain unauthorized access to the ColdFusion administrator console in versions 10, 9.0.2, 9.0.1, and 9.0 for Windows, Macintosh, and UNIX.

The vulnerabilities addressed are considered important ones in terms of severity, meaning that they could be exploited to compromise data security, sensitive information, or user resources. Its second class priority rating suggests that, despite there being no known attacks targeting this vulnerability in the wild, similar exploits in the past have put users at elevated –as opposed to imminent – risk of exploit.

ColdFusion customers can follow instructions to update their installation here.

The second bulletin closes crash-causing vulnerabilities in a laundry list of Adobe Flash Player versions for various operating systems. An attacker could also potentially exploit these in order to wrest control of affected systems.

Instructions for update can be found here.

Affected software includes: Adobe Flash Player 11.6.602.180 and earlier versions for Windows and Macintosh, Adobe Flash Player and earlier versions for Linux, Adobe Flash Player and earlier versions for Android 4.x, Adobe Flash Player and earlier versions for Android 3.x and 2.x, Adobe AIR and earlier versions for Windows, Macintosh and Android, and Adobe AIR SDK & Compiler and earlier versions.

The priority ratings for these fixes range from a (highest priority) one for the Widows Flash Player fix, to a two for the Mac Flash Player fix, to (lower priority) threes for the Linux and Android Flash Player fixes and threes for all of the Adobe Air fixes as well. Collectively, the bulletin received a critical severity rating. You can read about Abobe’s priority and severity rating system here.

Adobe credits Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team and Vupen Security for reporting the bugs addressed in the second bulletin.

The final bulletin relates to Adobe’s Shockwave Player, fixing critically rated, highest priority vulnerabilities on both Windows and Mac machines. Successful exploitation of a buffer overflow and memory corruption vulnerability could give an attacker the ability to execute malicious code on affected systems. It also resolves a memory leakage problem that could be exploited to reduce the effectiveness of address space randomization.

Adobe acknowledges Honggang Ren of Fortinet’s FortiGuard Labs and Aaron Portnoy of Exodus Intelligence for their help with this bulletin.

The fix for the last bulletin is available here, and you can find links to each of the bulletins on Adobe’s security page.