Although all of the vulnerabilities were rated as critical, Adobe did not rate them as Priority 1 because it is not aware of any exploits of the flaws in the wild.
For Shockwave Player 11.6.4.634 and earlier versions for Windows and Mac, Adobe fixed five memory corruption vulnerabilities that could be exploited by an attacker to run malicious code on the affected system.
Adobe advised users to update to Shockwave Player 11.6.5.635. It acknowledged the help of Rodrigo Rubira Branco with Qualys and Honggang Ren of Fortinet in identifying and fixing the Shockwave vulnerabilities.
In addition, Adobe shipped patches for five vulnerabilities in Illustrator, two vulnerabilities in Photoshop, and one hole in Flash Professional.
Adobe released a security upgrade for Illustrator CS5.5 and earlier versions for Windows and Mac that also plugged five memory corruption flaws that could enable an attacker to take control of the affected system.
The company advised users to upgrade to Illustrator CS6. “For users who cannot upgrade to Adobe Illustrator CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources”, the company added.
Adobe thanked Felipe Andres Manzano with iSIGHT Partners, Justin Kim with Microsoft, and Tielei Wang with Georgia Tech for help with the Illustrator fixes.
For Photoshop, Adobe patched user-after-free TIFF and buffer overflow vulnerabilities that could lead to code execution, and, for Flash Professional, the company fixed a buffer overflow vulnerability that could also lead to code execution.
The H Security website noted that the security fixes for Photoshop, Illustrator, and Flash Professional require users to spend money to purchase a software upgrade. Only the Shockwave fixes are free.