Adobe Patches Flash Player, Shockwave

Wednesday, December 11, 2013 @ 05:12 PM gHale

Adobe patched holes in its Flash Player and Shockwave Player Tuesday, including one that already has an exploit chomping at the bit.

“These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists for CVE-2013-5331,” the company said in a security advisory.

Adobe Fixes Flash Player, ColdFusion
Adobe Hack Bigger than Thought
Adobe Hacked, Source Code Leaked
Too Small for an Attack? Think Again

That CVE (Common Vulnerabilities and Exposures) ID refers to a type confusion vulnerability fixed in the new version of Flash Player. A memory corruption flaw tracked as CVE-2013-5332 also ended up fixed. If exploited successfully, both vulnerabilities can lead to arbitrary code execution allowing attackers to take control of the affected systems.

Some mitigation for this type of exploit exists since Flash 11.6, which introduced a click-to-play feature that requires users to confirm the playback of Flash content embedded in documents when opened in Microsoft Office versions older than Office 2010.

Tuesday’s update, though, moved the Windows and Macintosh versions of Flash Player to version 11.9.900.170, and the Linux version to The Flash Player versions bundled with Google Chrome, Internet Explorer 10 and Internet Explorer 11 will automatically update through those browsers’ update mechanisms.

The two Flash Player vulnerabilities were also fixed in Adobe AIR, a runtime for rich Internet applications that has Flash support. The patches are included in Adobe AIR version for Windows, Mac and Android.

Adobe Shockwave Player version for Windows and Mac also released Tuesday to resolve two different memory corruption vulnerabilities—CVE-2013-5333 and CVE-2013-5334—that could lead to arbitrary code execution. Shockwave Player is not as widespread as Flash Player, but Adobe said it is on over 450 million desktop computers, which makes it a big target for attackers.

Leave a Reply

You must be logged in to post a comment.