The Mac Security Blog

Security News

Adobe Patches Critical Flaws in Flash Player, Shockwave Player, and ColdFusion

Posted on by

adobe-patched-headerResolving critical vulnerabilities, Adobe released security updates for Adobe Flash Player 11.7.700.225 and earlier versions for Mac, as well as for Shockwave Player 12.0.2.122 and earlier versions for both Mac and Windows operating systems. Additionally, Adobe issued security hotfixes for ColdFusion 10 for Mac, Linux and Windows. These software updates fix five bugs in total, with three flaws patched in Adobe Flash, one in Shockwave Player and another in ColdFusion 10 for Mac.

The Adobe Flash Player update addresses vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected machine. Following are brief descriptions of the three flaws resolved in the update:

  • These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2013-3344).
  • These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2013-3345).
  • These updates resolve an integer overflow when resampling a user-supplied PCM buffer (CVE-2013-3347).

The Adobe Shockwave Player update addresses a critical vulnerability (CVE-2013-3348) in the software that could allow an attacker, who successfully exploits this vulnerability, to run malicious code on the affected system. The following details describe the bug fixed in the Shockwave Player update, as well as information about the hotfix for ColdFusion 10 for Mac:

  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2013-3348).
  • The hotfix for ColdFusion addresses a critical vulnerability (CVE-2013-3350) that could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets.

ColdFusion 10 customers are not affected by CVE-2013-3349, as mentioned in Adobe’s security bulletin.

Users of Adobe Flash Player 11.7.700.225 and earlier versions for Macintosh can head over to Adobe’s site and download the 17.2 MB update to Adobe Flash Player 11.8.800.94. Adobe Flash installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.8.800.97 for Macintosh, Linux and Windows.

Users of Adobe Shockwave Player 12.0.2.122 and earlier versions can download the 13.0 MB update to Adobe Shockwave Player 12.0.3.133 from here. ColdFusion customers can update their installation using the instructions provided in Adobe’s technote located here.