Adobe has released security updates for its Flash Player and Shockwave Player products as well as hotfixes for ColdFusion. The updates close critical vulnerabilities. Of the holes in ColdFusion, one is “Critical”, while the other is “important”.
The patches for Flash Player fix security holes that allowed potential attackers to trigger crashes and take control of affected systems. Windows and Mac users should update to version 11.8.800.94. An update to version 220.127.116.117 is available for Linux. The versions of Flash Player for Google Chrome (11.8.800.97) and for Internet Explorer 10 (11.8.800.94) should update automatically. Recent Android 4.x systems can be made current by updating to 18.104.22.168 (Adobe unsupported archive download). Older versions of Android such as 3.x and 2.x should be updated to version 22.214.171.124 of Flash Player (Adobe unsupported archive download).
The security hole in Adobe’s Shockwave also enables attackers to execute malicious code on a system. Windows and Mac OS X users can fix their players by updating to version 126.96.36.199.
A total of two vulnerabilities that can now be hotfixed have been lurking in Adobe’s ColdFusion. In ColdFusion 10 for Windows, Mac OS X and Linux, security hole CVE-2013-3350 enables attackers to “invoke public methods on ColdFusion Components using WebSockets”. Security hole CVE-2013-3349 in ColdFusion versions 9.0, 9.0.1 and 9.0.2 that run on JRun could trigger Denial-of-Service (DoS) scenarios. This hole doesn’t affect ColdFusion 10.
- Adobe releases updates for Flash Player, Shockwave Player and ColdFusion (securityspread.com)
- Adobe Patch Day: Flash, Shockwave, and ColdFusion; The Usual Suspects (watchguardsecuritycenter.com)
- Adobe’s July Patch Release Fixes Bugs in Flash, Shockwave, ColdFusion (threatpost.com)