• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Adobe Patch Day: Updates for Reader X, Flash, and Shockwave Player

August 14, 2012 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: Shockwave Player, Flash Player, Reader X, and Acrobat X
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released three security bulletins describing vulnerabilities in many of their popular software packages, including Shockwave Player, Flash Player, and Reader and Acrobat X.

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize these three Adobe security bulletins below:

  • APSB12-16: Multiple Reader and Acrobat  Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 20 vulnerabilities that affect Adobe Reader and Acrobat X 10.1.3 and earlier, running on Windows and Macintosh.  Adobe doesn’t describe the flaws in much technical detail, but does note that most of them involve buffer overflow and memory corruption issues. Almost all of them share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit any of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB12-17: Five Shockwave Memory Corruption Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin warns of five unspecified memory corruption vulnerabilities that affect Shockwave Player 11.6.5.635 and earlier for Windows and Macintosh. All five flaws share the same impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

Adobe Priority Rating: 2 (Patch within 30 days)

  • APSB12-18: Flash Player Code Execution Vulnerability

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Adobe’s bulletin describes a serious flaw that affects Flash Player 11.3.300.270 and earlier for all platforms. They don’t describe the  vulnerability (CVE-2012-1535) in detail, but they do describe its impact. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit this flaw to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe also warns that attackers are currently exploiting this flaw in the wild via malicious Word documents, which target Windows users. We highly recommend you patch Flash Player immediately

Adobe Priority Rating: 1 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

  • APSB12-16: 
    • Adobe Reader X 10.1.4
      • For Windows
      • For Mac
    • Adobe Acrobat X 10.1.4
      • Standard and Pro for Windows
      • Pro Extended for Windows
      • Pro for Mac
  • APSB12-17: Upgrade to Shockwave 11.6.6.636
  • APSB12-18: Download the latest Flash Player

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

    • Adobe Security Update APSB12-16
    • Adobe Security Update APSB12-17
    • Adobe Security Update APSB12-18

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Share This:

Related

Filed Under: Security Bytes Tagged With: Adobe, Photoshop, shockwave, Updates and patches

Comments

  1. Frankie says

    August 14, 2012 at 9:45 pm

    Running an admin point install, fails on the AdobeArmHelper.exe could not be found in data1.cab. “It could indicate a network error, a problem with this CD-ROM or a problem with this package”. Lol. Circus. Bring on 10.1.5, maybe it’ll bring world peace.

    Reply
  2. how can you generate electricity says

    July 27, 2013 at 10:06 am

    Navy maintains no such experiment occurred. Only in the final decade
    has there been an explosion on solar conversion technologies.

    Reply
  3. a sheds says

    July 27, 2013 at 4:35 pm

    One that doesn’t allow you to die completely.” Die? As she moved to climb up the beasts fell more than, crashing through the railing.

    Reply
  4. http://www.youtube.com/ says

    July 28, 2013 at 12:06 am

    Can you envision that?

    Reply
  5. Carb Back Loading says

    July 29, 2013 at 5:20 am

    Bobbi Leder: Did you take any supplements or protein shakes?
    Females’s Overall health.

    Reply
  6. ledegustateur.com says

    September 30, 2013 at 4:35 pm

    This is a relatively easy dish to make, especially if you have the
    base sauce made ahead of time. Poach the chicken for 20 minutes or until firm when touched
    remove the pan from the heat, uncover, cool the chicken in the liquid for half an hour.
    You can also leave out the prosciutto and lettuce, cube the mango, and serve it as a salsa
    to accompany meat or fish dishes.

    Reply
  7. sms free says

    November 8, 2013 at 12:27 am

    Come on and enjoy the special free offer of leading Vo – IP service provider Phone Kall.
    If we’ve left out one of your favorite calling apps on Black –
    Berry then please leave a comment below. Customers just need to verify with the company regarding
    the number of minutes they can talk per month.

    Reply
  8. goede-boekwinkeltjes.info says

    November 22, 2013 at 12:24 am

    Foods to be eliminated: bananas, strawberries, kiwis, citrus fruits,
    corn, pineapples and papayas, plus nightshade vegetables such as eggplants, peppers, potatoes,
    and tomatoes. You may think your Candida infection is uncomfortable, painful and downright annoying but did you know that if left untreated Candida can be
    potentially life threatening. Leaky stomach syndrome in partnership with autism continues to be researched; a number of studies along with
    study are under method to greater know how your syndrome begins,
    the reason why it can be common within autistic kids, and the way to address it.

    Reply
  9. my.opera.com says

    January 25, 2014 at 12:05 am

    The Sarver research team, together with experts from the Arizona Department of Health Services, evaluated survival rate data of victims of cardiac
    arrest. Knowing the common diagnosis and the common treatments will
    ready you for the practice scenarios and testing mega codes.

    Waiting for proper health care may claim the crucial five minutes
    and bring the patient too close to death.

    Reply
  10. identity force says

    January 26, 2014 at 12:12 am

    Further analysis revealed that identity theft
    costs about $4865 per person violated, yet identity protection services cost
    around $250 per year. You might also keep in mind that
    most identity thieves have no problem with dumpster
    diving, and obtaining your information from your trash.
    Delete items such as internet history, internet cache,
    temporary internet files and browser tracking cookies,
    all of which can house valuable financial and personal information.

    Reply
  11. ACLS Certification says

    February 12, 2014 at 12:57 am

    Who should attend: Crime Scene Investigators, Law Enforcement Professionals, Registered nurses, Forensic Nurses, EMS Professionals
    and other healthcare professionals interested in learning more
    about the evaluation, documentation, pathology and pathophysiology of the submerged victim.
    CPR does not change ventricular fibrillation to a normal heart rhythm.
    In female patients, the elderly, and those with diabetes there is a higher occurrence of atypical presentation.

    Reply
  12. 100 virgin indian hair says

    February 18, 2014 at 6:45 am

    I tried taking a picture of it, but it really doesn’t show in picture, which has been a blessing or else I would have taken this hair out already.
    Finger-dry, or use a wide-toothed comb instead of a brush to gently remove the knots.
    I wrap my hair every night and I tie it down with a scarf.

    Reply
  13. Quick Sale says

    February 18, 2014 at 4:06 pm

    They have all of the necessary forms and will handle everything for you.
    Check from the outside and make sure it’s a good one.
    Before searching for e – Bay wholesale products it is wise to consider exactly what sort of
    items you wish to sell.

    Reply
  14. essay writing says

    February 27, 2014 at 6:50 am

    The French country style home is considered as one of the most luxurious and exquisite homes in the area.
    What you can do is to contact them and see how
    they respond to your request and queries. So, when they buy a custom essay, they actually cheat.

    Reply
  15. online File Storage says

    April 5, 2014 at 12:27 am

    By using existing internet connections organizations can view and document any time.
    In this matter, client computer directly reveals services
    for control node. Think about it ‘ While technology saves your business from using physical resources, it
    can also have negative effects on the environment you weren’t even aware
    of.

    Reply
  16. sex addict story says

    April 6, 2014 at 12:43 am

    needs the income, too, in order to avoid alternative methods
    of taxing its citizens. At first, I would occasionally use the Internet simply for fun-to read anecdotes or
    chat on ICQ. A good portion of sufferers have been those who want pornographic materials.

    Reply
  17. pdf editor windows says

    August 18, 2014 at 2:13 am

    Superb site you hav here but I was curious if you knew of any message boards that cover the same topics discussed in this article?
    I’d reall like to be a part of group where I can get feedbadk from other knowledgeable peopl that share the
    same interest. If yyou have any recommendations, please let
    me know. Kudos!

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use