Adobe Systems has released improved versions of Flash Player, Shockwave Player and ColdFusion to patch critical vulnerabilities in these. As stated by Adobe “these vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system”
The new versions of Flash Player for Windows and Mac (Flash Player 11.7.700.169) and Linux (Flash Player 18.104.22.1680) address the following flaws:
- Integer overflow vulnerability that could be used by attackers to execute a malicious code.
- Memory corruption issues including improper initiation of pointer arrays that could again allow hackers to access the device, cause a denial of service or execute a malicious code.
The update for Windows and Macintosh editions of Adobe Shockwave Player and a hotfix for ColdFusion address the following issues:
- Vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.
- A buffer overflow vulnerability that could be used to run malicious code.
- Memory corruption vulnerability that could be used by attackers to infect the device.
- Memory leakage vulnerability that could be exploited to reduce the effectiveness of address space randomization, which exposes the key data areas in the device to attacks.
- The hotfix for shockwave player resolves an issue that could be used by an unauthorized user to gain access to ColdFusion administrator console.
- The hotfix also resolves a vulnerability that could be exploited to impersonate an authenticated user.
We recommend the users of Adobe Flash Player 11.6.602.180 and earlier versions for Mac OS X should update to Adobe Flash Player 11.7.700.169. Users of Adobe AIR 22.214.171.12490 and earlier versions should install the 26.2 MB update to Adobe AIR 3.7 (Macintosh). Please update to the latest Shockwave Player Shockwave 126.96.36.199. ColdFusion users should update the software using the instructions
For more details, please visit https://blogs.adobe.com/psirt/