Urgent security patches for ColdFusion, Adobe Reader, Acrobat and Flash
On its May Patch Tuesday, Adobe closed a variety of critical security holes in Adobe Reader, Acrobat and Flash and released an important hotfix for ColdFusion. The hotfix closes a security hole that has already been exploited to compromise scores of servers.
The updates to Flash Player and Air will affect almost everyone – Adobe has closed numerous security holes with a total of 13 CVE numbers. The holes are caused by memory errors that can be exploited to inject malicious code. As the Flash update for Windows has been rated at the highest priority, Windows users should install it as soon as possible. The current version is 11.7.700.202.
Patched versions have also been released for all other supported operating systems (including Android). Further updates affect the users of version 10 of Flash Player. A complete overview is available in the advisory. Google Chrome and Internet Explorer 10 under Windows 8 will be updated automatically.
The updates for Adobe Reader and Acrobat are also quite substantial: they fix vulnerabilities that have been assigned a total of 27 CVE numbers. Most of them are memory overflow issues. The highest priority ones are the updates for version 9 under Windows. As this version doesn't have the sandbox present in later versions, it is particularly easy for attackers to inject malicious code into systems. Versions 9.5.5, 10.1.7 (X) and 11.0.03 (XI) fix the issues.
Those who operate ColdFusion servers should pay particular attention: on Tuesday, Adobe released an important hotfix for ColdFusion 9 to 10 that administrators should install immediately. It closes a critical security hole that allows attackers to take control of a server. An exploit that targets this vulnerability is already being circulated on the net. Numerous systems have already fallen victim to hackers who exploit this hole, and administrators should act immediately.