|mogs||Adobe patches security issues in Flash and Shockwave players|
|11th Dec, 2013 13:46|
User Since: 22nd Apr, 2009
System Score: 100%
Last edited on 11th Dec, 2013 13:55
Summary: New versions of the players fix critical vulnerabilities in each.
By Larry Seltzer for Zero Day | December 10, 2013 -- 20:57 GMT
Adobe has released updates for the Flash Player and Shockwave Player to address vulnerabilities in the previous versions. In the case of the Flash vulnerability, Adobe says that there is an exploit available, but not whether it is being used in the wild.
The vulnerabilities in the old Flash Player are both critical and highest priority. The vulnerable versions are:
•Adobe Flash Player 11.9.900.152 and earlier versions for Windows and Macintosh
•Adobe Flash Player 18.104.22.1687 and earlier versions for Linux
•Adobe AIR 22.214.171.1240 and earlier versions for Windows and Macintosh
•Adobe AIR 126.96.36.1990 and earlier versions for Android
•Adobe AIR 188.8.131.520 SDK and earlier versions
•Adobe AIR 184.108.40.2060 SDK & Compiler and earlier versions
Flash Player users on Windows and Mac should update to version 11.9.900.170. Flash Player users on Linux should update to version 220.127.116.112. The current version of Google Chrome (31.0.1650.63) already integrates the current version of Flash Player, as does the latest versions of Internet Explorer 10 and 11.
The vulnerabilities in Flash could cause the player to crash or execute remote code. Adobe says that they are "...aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists..." Adobe Flash Player has mitigated against this form of attack since version 11.6.
One of the Flash Player vulnerabilities is described in detail by its author, Attila Suszter of Reversing on Windows blog.
The Shockwave Player vulnerabilities could also result in remote code execution. Shockwave Player 18.104.22.168 and earlier versions on Windows and Mac are vulnerable. The new, fixed version is 22.214.171.124.
December 11th, 2013, 09:42 GMT · By Ionut Ilascu
Flash Player Vulnerabilities Patched by Adobe
Adobe announced that two security vulnerabilities (CVE-2013-5331 and CVE-2013-5332) available in Flash Player 11.9.900.152 had been addressed in the recently released update for the software.
The company received reports that an exploit existed for CVE-2013-5331, but it has not released information about its being actively leveraged, although some sources suggest so.
The exploited vulnerability could trick the user into opening a Microsoft Word document with malicious Flash (SWF) content inside.
However, Adobe informs that this type of attack can be foiled through the Click-to-Play for Office feature, implemented back in Flash Player 11.6 and designed for Microsoft Office versions without Protected View feature to warn users that content may be harmful.
Protected View was introduced in Office 2010 and kicks off when the document is considered to be from an unreliable source, limiting privileges of the content in the file. In the case of Flash, content is prevented from executing by default.
The current Flash Player update (11.9.900.170 for Windows and Mac; 126.96.36.1992 for Linux) does away with some “type confusion” and “memory corruption” vulnerabilities that could lead to code execution.
Apart from security fixes, the new revision brings to the table various repairs touching mostly on functionality on Windows 8 and 8.1. It also does away with a glitch in Google Chrome (Windows) that caused some 3D content to be rendered only in the lower left corner of the screen.
Adobe Shockwave Player has also increased its build number, to 188.8.131.52, after receiving security updates for two critical flaws (memory corruption) that could allow an attacker to run malicious code on the affected machine.
Both in the case of Flash and Shockwave Player Adobe issued the updates with the highest priority rating, which implies that the vulnerabilities are already targeted in the wild or present a higher risk to be; it is recommended to install them with the utmost urgency.
Not a customer already?