Jump to content
  • entries
    47
  • comments
    3
  • views
    26253

Adobe Patch Day: Updates for Flash, Shockwave, and Photoshop

Ioannis Zontos

Entry posted by Ioannis Zontos ·

842 views

 Share

Severity: High

Summary:

· These vulnerabilities affect: Adobe Shockwave Player, Flash Player, Flash Media Server, and Photoshop

· How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites

· Impact: Various results; in the worst case, an attacker can gain complete control of your computer

· What to do: Install the appropriate Adobe patches immediately, or let Adobe's updater do it for you.

Exposure:

Yesterday, Adobe released five security bulletins describing vulnerabilities in many of their popular software packages, including Shockwave Player, Flash Player, Flash Media Server, Photoshop, and Robohelp. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

· APSB11-19: Seven Shockwave Player Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin warns of seven security vulnerabilities that affect Shockwave Player 11.6.0.626 and earlier for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail. It only describes the nature and basic impact of each flaw. For the most part, the flaws consist of unspecified memory corruption vulnerabilities. Though these flaws differ technically, most of them share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

Adobe Severity: Critical

· APSB11-20: Flash Media Server DoS Vulnerability

Adobe Flash Player displays interactive, animated web content called Flash. Flash Media Server allows administrators to stream Flash content.

Flash Media Server 4.0.2 and earlier suffer from an unspecified Denial of Service (DoS) vulnerability. Adobe does not share any relevant detail about this flaw, including no detail on how an attacker might exploit it. They only share that an attacker could somehow exploit the flaw to launch a DoS attack against your media server. 

Adobe Severity: Critical

· APSB11-21 : Flash Player Update Corrects 13 Security Flaws

Adobe Flash Player displays interactive, animated web content called Flash. A recent report from Secunia stats that 99% of Windows computers have Adobe Flash Player installed, so you users very likely have it.

Adobe’s update fixes 13 security vulnerabilities in Flash Player (for Windows, Mac, Linux, and Solaris), which they don’t describe in much technical detail. However, they do describe the general scope and impact of these flaws. In the worst case, if an attacker can lure one of your users to a malicious website, they could exploit some of these flaws to gain control of that user’s computer. We assume the attacker would only gain the privileges of the logged in user. However, since most Windows users have local administrator privileges, the attacker would likely gain full control of Windows machines.

Adobe Severity: Critical

· APSB11-22: Photoshop GIF Handling Vulnerability

Photoshop is a popular image editing program. Photoshop CS5 suffers from an unspecified vulnerability involving its inability to properly handle specially crafted GIF images. If an attacker can trick you into downloading and opening a malicious GIF image in Photoshop, she can exploit this flaw to execute code on your machine, with your privileges. If you have local admin privileges, the attacker gains complete control of your computer.

Adobe Severity: Critical

· APSB11-23: RoboHelp XSS Flaw

RoboHelp 9 is software that helps you create help systems. It suffers from an unspecified Cross-Site Scripting (XSS)  vulnerability. By enticing one of your users into clicking a specially crafted link, an attacker could run script on that users computer under the context of the Robohelp component. 

Adobe Severity: Important.

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

· APSB11-19: Upgrade to Shockwave 11.6.1.629

· APSB11-20: Upgrade to Flash Media Server 4.0.3 or 3.5.7

· APSB11-21: Upgrade to Flash Player 10.3.183.5

· APSB11-22:

o Photoshop CS5 for Windows

o Photoshop CS5 for Windows x64

o Photoshop CS5 for Mac

· APSB11-23: Upgrade RoboHelp 8 and 9:

o RoboHelp 8

o RoboHelp 9

Status:

Adobe  has released patches correcting these issues.

References:

o Adobe Security Update APSB11-19

o Adobe Security Update APSB11-20

o Adobe Security Update APSB11-21

o Adobe Security Update APSB11-22

o Adobe Security Update APSB11-23

 Share

0 Comments

Recommended Comments

There are no comments to display.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
×
  • Create New...