• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Adobe Patch Day: Flash and ColdFusion Updates

December 11, 2012 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: Flash Player and ColdFusion 1o
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released two security bulletins, describing vulnerabilities in their Flash Player and ColdFusion products.

Adobe Patch Day: December 2012

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the Adobe security bulletins below:

  • APSB12-27: Flash Player Code Execution Vulnerabilities

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Adobe’s bulletin describes a three vulnerabilities in Flash Player 11.5.502.110 and earlier for all platforms. The three flaws consist of various buffer overflow and memory corruption flaws, all of which attackers can leverage to execute arbitrary code. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

They assign these flaws their highest severity rating for Windows computers, but a lesser severity for Mac and Linux machines.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB12-26: ColdFusion Sandbox Bypass Flaw

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. It suffers from what Adobe only describes as “a sandbox permissions violation in a shared hosting environment.” The bulletin shares very little about the scope of this flaw (CVE-2012-5675), so we’re unsure how easy or hard it is for attackers to leverage. Adobe rates it as Priority 2 issue, which is essentially their medium severity rating.

Adobe Priority Rating: 2 (Patch within 30 days)

Solution Path:

Adobe has released updates for all their affected software. If you use Flash Player or ColdFusion, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

  • APSB12-27: Download the latest Flash Player
  • APSB12-26: Download, test, and install the latest ColdFusion hotfix.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

    • Adobe Security Update APSB12-27
    • Adobe Security Update APSB12-26

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Share This:

Related

Filed Under: Security Bytes Tagged With: Adobe, Photoshop, shockwave, Updates and patches

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
  • TikTok is Banned, Kind Of
  • Naming APTs

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • How Not to Update Software
  • Naming APTs
  • TikTok is Banned, Kind Of
  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use