Adobe Patches Critical Vulnerabilities in Flash and Shockwave

The Flash Player update fixes vulnerabilities CVE-2013-5331 and CVE-2013-5332 on all platforms. Adobe says it "is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists for CVE-2013-5331." 

The vulnerability was found by researcher Attila Suszter, who has now blogged with the technical details. He notes that it is another use-after-free bug, and suspects there may be more in the Adobe code.  "Therefore," he notes, "for Adobe, it would be beneficial to review the entire code base for unsafe dialog box calls." But he also adds, "Mozilla long time back fixed the problem by permanently keeping the plugin in the memory in Firefox process."

Kaspersky Lab security expert Roel Schouwenberg notes, "Though Flash 11.6 introduced Click-to-Play for Office, users may still be socially engineered into running Flash content in Office documents. Make sure to apply this patch promptly."

Full details on how to verify which version is running, and how to update that version to the latest as necessary, can be found on the Adobe Security Bulletin page. Highest priority is given to Flash Player on Windows and Macintosh, and less so to Adobe AIR on these and other platforms.

The Shockwave update fixes vulnerabilities CVE-2013-5333 and CVE-2013-5334 on Windows and Macintosh. "This update," says Adobe, "addresses a vulnerability that could allow an attacker, who successfully exploits this vulnerability, to run malicious code on the affected system." Although there are no reports of it currently being exploited, it to should be installed as soon as possible. The latest version of Shockwave ( is available here.

"Attackers are hoping people are going to wait till after the holidays with applying patches, when there's less staff around," warns Schouwenberg. "Patch now instead."

What’s Hot on Infosecurity Magazine?