Severity: High
Summary:
- These vulnerabilities affect: Flash Player and ColdFusion 1o
- How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
- Impact: Various results; in the worst case, an attacker can gain complete control of your computer
- What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.
Exposure:
Today, Adobe released two security bulletins, describing vulnerabilities in their Flash Player and ColdFusion products.
A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the Adobe security bulletins below:
- APSB12-27: Flash Player Code Execution Vulnerabilities
Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.
Adobe’s bulletin describes a three vulnerabilities in Flash Player 11.5.502.110 and earlier for all platforms. The three flaws consist of various buffer overflow and memory corruption flaws, all of which attackers can leverage to execute arbitrary code. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.
They assign these flaws their highest severity rating for Windows computers, but a lesser severity for Mac and Linux machines.
Adobe Priority Rating: 1 (Patch within 72 hours)
- APSB12-26: ColdFusion Sandbox Bypass Flaw
Adobe ColdFusion is an application server that allows you to develop and deploy web applications. It suffers from what Adobe only describes as “a sandbox permissions violation in a shared hosting environment.” The bulletin shares very little about the scope of this flaw (CVE-2012-5675), so we’re unsure how easy or hard it is for attackers to leverage. Adobe rates it as Priority 2 issue, which is essentially their medium severity rating.
Adobe Priority Rating: 2 (Patch within 30 days)
Solution Path:
Adobe has released updates for all their affected software. If you use Flash Player or ColdFusion, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.
- APSB12-27: Download the latest Flash Player
- APSB12-26: Download, test, and install the latest ColdFusion hotfix.
For All WatchGuard Users:
Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.
Status:
Adobe has released patches correcting these issues.
References:
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).