Today, Adobe released security updates for Adobe Flash Player for Mac, Windows and Linux, resolving memory corruption bugs in the software. These updates specifically address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
The following software versions are affected and should be updated as soon as possible: Adobe Flash Player 11.9.900.117 and earlier versions for Mac and Windows, as well as Adobe Flash Player 220.127.116.110 and earlier versions for Linux. Moreover, updates are also available for Adobe AIR 18.104.22.1680 and earlier versions for Windows and Macintosh.
Adobe’s security bulletin (APSB13-26) describes the bugs fixed in the Flash Player update as follows:
In addition to updating Flash Player, Adobe released a security hotfix for ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0 for Macintosh, Windows and Linux. The hotfix addresses an important cross-site scripting vulnerability, as well as a critical remote read vulnerability.
The ColdFusion security bulletin (APSB13-27) describes the bugs fixed in this hotfix as follows:
- This hotfix addresses a reflected cross site scripting vulnerability (CVE-2013-5326) that could be exploited by a remote, authenticated user on ColdFusion 10 and earlier when the CFIDE directory is exposed.
- This hotfix also addresses a vulnerability (CVE-2013-5328) in ColdFusion 10 that could permit unauthorized remote read access.
Users of Adobe Flash Player 11.9.900.117 and earlier versions for Mac should install the 17.5 MB update to Adobe Flash Player 11.9.900.152. Adobe Flash Player 11.9.900.117 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.9.900.152 for Windows, Macintosh and Linux.
Users of Adobe AIR 22.214.171.1240 and earlier versions for Mac and Windows should install the 26.2 MB update to Adobe AIR 126.96.36.1990.
Adobe recommends ColdFusion customers update their installation using the instructions provided in the technote located here. ColdFusion customers should also apply the security configuration settings as outlined on the ColdFusion Security page, and also review the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide.