Adobe Fixes Flash, ColdFusion and Shockwave

The three Flash vulnerabilities are CVE-2013-3344, CVE-2013-3345 and CVE-2013-3347. The first is a heap buffer overflow vulnerability that could lead to code execution and was discovered by the Google security team. The second is a memory corruption vulnerability that could lead to code execution, and was also discovered by the Google security team. The third is an integer overflow when resampling a user-supplied PCM buffer, and was discovered by Vulnazoid and reported via HP's Zero Day Initiative.

The latest versions of Flash are available from the Adobe download center, but, warns Brian Krebs, "beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here."

There are two hotfixes for ColdFusion, but they are mutually exclusive. Version 9 users have vulnerability CVE-2013-3349 fixed. This could be exploited to cause a denial of service condition. ColdFusion version 10 users have vulnerability CVE-2013-3350 fixed. This could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets. "ColdFusion 10 customers are not affected by CVE-2013-3349", notes Adobe.

The former was discovered by Terry Ford, and the latter by Henry Ho; both of whom are thanked by Adobe "for responsibly disclosing these issues and working with Adobe to protect our customers."

The Shockwave update "addresses a vulnerability that could allow an attacker, who successfully exploits this vulnerability, to run malicious code on the affected system." The latest version of Shockwave is available here. It was discovered by Honggang Ren of Fortinet's FortiGuard Labs.

Chester Wisniewski of Sophos has his own Shockwave upgrade advice: "The solution to this problem is to remove it from your computer. You don't need it," he suggests in the Sophos Naked Security blog.

Krebs agrees. "Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is powerful and very often buggy software that many people have installed but do not really need for everyday web browsing." He points out that security doesn't just mean locking down the system, "but removing unneeded programs, and Shockwave is near the top of my list on that front."

What’s Hot on Infosecurity Magazine?