Adobe fixes critical vulnerabilities in four products on patch day
On its official patch day, Adobe has released updates to fix security vulnerabilities in five products: Shockwave Player, Flash Media Server, Flash Player, Photoshop CS5 and RoboHelp; with the exception of RoboHelp, the programs are described as containing critical vulnerabilities.
The update for Flash Player addresses the greatest number of vulnerabilities: 13, according to Adobe's list, although this number has been challenged by Tavis Ormandy, a Google Security Engineer, claiming the number is much higher – 400. According to Adobe, none of these vulnerabilities fixed are currently being exploited by known malware. The holes in Flash Player mainly concern memory corruption and buffer overflows that could cause a system to crash or allow an attacker to take control. Versions 10.3.181.36 and earlier for Windows, Macintosh, Linux and Solaris, and 10.3.185.25 and earlier for Android are affected. For those users unsure which version of Adobe Flash Player is installed on their system, the Flash Player web page can be used to check for the version number.
Next in terms of number of vulnerabilities is version 188.8.131.526 or earlier of Shockwave Player on the Windows and Mac operating systems. The seven holes all concern memory corruption that could lead to remote code execution. Affected users are advised by Adobe to upgrade to version 184.108.40.2069 by following the instructions on the Adobe site.
A single critical vulnerability has been fixed in Flash Media Server versions 4.0.2 and 3.5.6 and earlier for Windows and Linux. This is also a memory corruption problem that could allow a successful denial of service attack against an affected system. Updates (4.0.3 and 3.5.7) are available to download.
Similarly, a single memory corruption problem has been fixed in Photoshop CS5 and CS5.1 on Windows and Macintosh that could allow an attacker to take control of a system using a crafted GIF file. The updates are available to download for Windows, Windows 64 and Macintosh.