• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Adobe Patch Day Delivers Flash and ColdFusion Security Updates

August 11, 2010 By The Editor

Emergency Reader Update Expected Later this Month

11 August, 2010

Summary:

  • This vulnerability affects: Adobe Flash Player, Flash Media Server, and ColdFusion for Windows, Mac, and UNIX computers
  • How an attacker exploits it: Multiple vectors, such as enticing your users to a malicious website or sending malicious requests to your web server
  • Impact: Various, in the worst case an attacker can execute code on your computer or server, potentially gaining control of it
  • What to do: Install Adobe’s updates as soon as possible or let Adobe’s Updater do it for you

Exposure:

Yesterday, Adobe released three security bulletins describing 11 vulnerabilities (based on CVE numbers) that affect various Adobe Products, including Flash Player, Flash Media Server, and ColdFusion running on all platforms; many of them critical. We summarize these bulletins below.

  • APSB10-16: Adobe Flash Player Security Update

Affects: Adobe Flash Player 10.1.53.64 and Adobe AIR 2.0.2.12610 and earlier, running on all platforms (Win, Mac, Linux, and Solaris)

Adobe Flash Player displays interactive, animated web content called Flash. A recent report from Secunia stats that 99% of Windows computers have Adobe Flash Player installed, so you users very likely have it. Adobe’s update fixes six security vulnerabilities in Flash Player, which they don’t describe in much technical detail. However, they do describe the general scope and impact of these flaws. In the worst case, if an attacker can lure one of your users to a malicious website, they could exploit some of these flaws to gain control of that user’s computer. We assume the attacker would only gain the privileges of the logged in user. However, since most Windows users have local administrator privileges, the attacker would likely gain full control of Windows machines.
Microsoft rating: Critical.

  • APSB10-19: Adobe Flash Media Server Security Update

Affects: Adobe Flash Media Server (FMS) 3.5.3 and 3.0.5 and earlier, running on Windows and Linux platforms

Adobe Flash Media Server is a product specifically designed to help you stream Flash media over the web. According to Adobe, it suffers from four unspecified security vulnerabilities. Three of the vulnerabilities can lead to Denial of Service (DoS) situations, while the fourth could allow a remote attacker to execute code on your Flash Media Server. Unfortunately, Adobe doesn’t describe exactly how an attacker might exploit these vulnerabilities. We assume they’d have to send some sort of specially crafted request to the Flash Media Server. Adobe also doesn’t implicitly state what level of privilege an attacker’s code would execute with. However, they do assign a Critical rating to this flaw. Without these details we can only assume that an attacker could leverage it to gain full control of a Flash Media Server.
Microsoft rating: Critical.

  • APSB10-18: Adobe ColdFusion Security Hotfix

Affects: Adobe ColdFusion 9.0.1, running on all platforms (Win, Mac, and UNIX)

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. It suffers from an unspecified directory traversal vulnerability, which is essentially a class of vulnerability that allows an attacker to gain access to directories on a server that they should not have access to, thus potentially giving them access to sensitive information. Adobe’s bulletin shares very little about the scope of this flaw, so we’re unsure how easy or hard it is for attackers to leverage. They rate the hotfix as Important.
Microsoft rating: Important.

Besides the three full security bulletins, Adobe also released an early bulletin announcing an upcoming Adobe Reader update that they plan to release later this month. Among other things, this update will include a fix for a PDF related vulnerability that a researcher named Charlie Miller disclosed at the Blackhat 2010 security conference. We expect Adobe to release this final update on or around August 16, and will publish another alert when they do.

Solution Path

Adobe has released updates to correct the issues in all these products.  You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you.

  • APSB10-16: Adobe Flash Player Security Updates
  • Download Flash Player 10.1.82.76 (or network distribution version)
  • Download AIR 2.0.3
  • Download Flash Professional CS5, Flash CS4 Professional and Flex 4 10.1.82.76
  • Download Flash CS3 Professional and Flex 3 9.0.280
  • APSB10-19: Adobe Flash Media Server Security Updates
  • Download Flash Media Server version 3.5.4 or Flash Media Server version 3.0.6
  • APSB10-18: Adobe ColdFusion Security Hotfix
  • Install the ColdFusion update described in this technote

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods, many of which leverage normal HTTP traffic that most administrators must allow.  Therefore, installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches that correct these vulnerabilities.

References:

  • APSB10-16: Adobe Flash Player Security Updates
  • APSB10-19: Adobe Flash Media Server Security Updates
  • APSB10-18: Adobe ColdFusion Security Hotfix

This alert was researched and written by Corey Nachreiner, CISSP.

Share This:

Related

Filed Under: Security Bytes Tagged With: Adobe

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use