Patch Tuesday occurs on the second Tuesday of each month, on which software vendors regularly release security patches, and today is no different. Adobe has issued critical security updates for Flash Player and Shockwave Player, available for Mac OS X and other operating systems.
Adobe’s Flash Player update addresses vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
The following Adobe Flash Player versions are affected: Adobe Flash Player 11.9.900.152 and earlier versions for Macintosh and Windows, and Adobe Player Player 220.127.116.117 for Linux. Moreover, updates are also available for Adobe AIR 18.104.22.1680 and earlier versions for Mac and Windows.
Adobe also noted that the company “is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists for CVE-2013-5331.” Adobe Flash Player 11.6 and later provide mitigation against this attack.
Peleus Uhley, Adobe’s Platform Security Strategist, mentioned the following on the mitigation of this attack:
Last week, we introduced a new Flash Player feature that includes a new Microsoft Office click-to-play capability that determines whether Flash Player is being launched within Microsoft Office and automatically checks the version of Office. Launching Flash Player 11.6 from within a version of Office older than Office 2010 will prompt the end-user before executing the Flash content, ensuring potentially malicious content does not immediately execute and impact the end-user. This feature adds another layer of defense against spearphishing attacks by allowing the end-user an opportunity to realize that they have opened a potentially malicious document and close it before the exploit executes.
Click-to-Play for Office should make this attack vector less attractive for attackers. Please update your environments to Flash Player 11.6 as soon as possible.
Adobe’s security bulletin (APSB13-28) describes the Flash Player bug fixes as follows:
- These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2013-5331).
- These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2013-5332).
Adobe’s Shockwave Player update addresses a vulnerability that could allow an attacker, who successfully exploits this vulnerability, to run malicious code on the affected system.
Affected Adobe Shockwave Player versions include Shockwave Player 22.214.171.124 and earlier for Macintosh and Windows.
Adobe’s security bulletin (APSB13-29) describes the Shockwave Player bug fixes as follows:
To get the latest security updates, users of Adobe Flash Player 11.9.900.152 and earlier versions for Windows and Macintosh should download Adobe Flash Player 11.9.900.170 (total size: 17.5 MB). Linux users of Flash Player 126.96.36.1997 should update to Adobe Flash Player 188.8.131.522.
Adobe Flash Player 11.9.900.152 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.9.900.170 for Windows, Mac and Linux. Users of Adobe AIR 184.108.40.2060 and earlier versions for Mac should install the 26.2 MB update to Adobe AIR 220.127.116.110.
Users of Adobe Shockwave Player 18.104.22.168 and earlier versions should download Adobe Shockwave Player 22.214.171.124 (13.0 MB) for the recommended security updates.