The Mac Security Blog

Security News

Adobe Patches 10 Critical Vulnerabilities in Flash Player, Shockwave Player, and ColdFusion

Posted on by

Adobe Systems has released new versions of Flash Player, Shockwave Player, and ColdFusion in order to address a total of 10 critical vulnerabilities in the software products. The 17.1 MB update to Adobe Flash Player 11.7.700.169 is available for download and resolves four critical vulnerabilities “that could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in a security advisory.

The newly released Flash Player versions are: Flash Player 11.7.700.169 for Windows and Mac, and Flash Player 11.2.202.280 for Linux.

The following details describe the four flaws resolved in the Adobe Flash Player update:

  • These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2013-2555).
  • These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2013-1378, CVE-2013-1380).
  • These updates resolve a memory corruption vulnerability caused by Flash Player improperly initializing certain pointer arrays, which could lead to code execution (CVE-2013-1379).

Adobe also released updates for Windows and Macintosh supported editions of Adobe Shockwave Player and offered a hotfix for ColdFusion in order to fix six vulnerabilities found in the products. The company also released version 3.7.0.1530 of its Adobe AIR Internet application runtime system, because the software includes Flash Player and was subject to the same vulnerabilities.

Following are details that describe the combined six flaws resolved in the Shockwave Player and ColdFusion updates:

  • This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2013-1383).
  • This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2013-1384, CVE-2013-1386).
  • This update resolves a memory leakage vulnerability that could be exploited to reduce the effectiveness of address space randomization (CVE-2013-1385).
  • This hotfix resolves a vulnerability that could be exploited to impersonate an authenticated user (CVE-2013-1387).
  • This hotfix resolves a vulnerability that could be exploited by an unauthorized user to gain access to the ColdFusion administrator console (CVE-2013-1388). 

Users of Adobe Flash Player 11.6.602.180 and earlier versions for Mac OS X should update to Adobe Flash Player 11.7.700.169 as soon as possible. The Flash Player plug-ins that come bundled with Google Chrome will automatically be updated by Google through their respective update mechanisms, which will include Adobe Flash Player 11.7.700.179 for Windows and 11.7.700.169 for Macintosh and Linux. Users of Adobe AIR 3.6.0.6090 and earlier versions should install the 26.2 MB update to Adobe AIR 3.7 (Macintosh).

Users of Adobe Shockwave Player 12.0.0.112 and earlier versions for Mac and Windows should install the 13 MB update to the new Shockwave 12.0.2.122. Lastly, Adobe recommends ColdFusion customers update their installations using the instructions provided here.