Adobe Patch Day: Updates for Flash, Shockwave, and Photoshop

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Shockwave Player, Flash Player, Flash Media Server, and Photoshop
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Yesterday, Adobe released five security bulletins describing vulnerabilities in many of their popular software packages, including Shockwave Player, Flash Player, Flash Media Server, Photoshop, and Robohelp. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

  • APSB11-19: Seven Shockwave Player Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin warns of seven security vulnerabilities that affect Shockwave Player 11.6.0.626 and earlier for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail. It only describes the nature and basic impact of each flaw. For the most part, the flaws consist of unspecified memory corruption vulnerabilities. Though these flaws differ technically, most of them share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.
Adobe Severity: Critical

  • APSB11-20: Flash Media Server DoS Vulnerability

Adobe Flash Player displays interactive, animated web content called Flash. Flash Media Server allows administrators to stream Flash content.

Flash Media Server 4.0.2 and earlier suffer from an unspecified Denial of Service (DoS) vulnerability. Adobe does not share any relevant detail about this flaw, including no detail on how an attacker might exploit it. They only share that an attacker could somehow exploit the flaw to launch a DoS attack against your media server. 
Adobe Severity: Critical

  • APSB11-21 : Flash Player Update Corrects 13 Security Flaws

Adobe Flash Player displays interactive, animated web content called Flash. A recent report from Secunia stats that 99% of Windows computers have Adobe Flash Player installed, so you users very likely have it.

Adobe’s update fixes 13 security vulnerabilities in Flash Player (for Windows, Mac, Linux, and Solaris), which they don’t describe in much technical detail. However, they do describe the general scope and impact of these flaws. In the worst case, if an attacker can lure one of your users to a malicious website, they could exploit some of these flaws to gain control of that user’s computer. We assume the attacker would only gain the privileges of the logged in user. However, since most Windows users have local administrator privileges, the attacker would likely gain full control of Windows machines.
Adobe Severity: Critical

  • APSB11-22: Photoshop GIF Handling Vulnerability

Photoshop is a popular image editing program. Photoshop CS5 suffers from an unspecified vulnerability involving its inability to properly handle specially crafted GIF images. If an attacker can trick you into downloading and opening a malicious GIF image in Photoshop, she can exploit this flaw to execute code on your machine, with your privileges. If you have local admin privileges, the attacker gains complete control of your computer.
Adobe Severity: Critical

RoboHelp 9 is software that helps you create help systems. It suffers from an unspecified Cross-Site Scripting (XSS)  vulnerability. By enticing one of your users into clicking a specially crafted link, an attacker could run script on that users computer under the context of the Robohelp component. 
Adobe Severity: Important.

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured firewall can mitigate the risk of some of these issues. That said, the Firebox cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Adobe’s updates is your most secure course of action.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

Trackbacks/Pingbacks

  1. Adobe Patch Day: Updates for Flash, Shockwave, and Photoshop | microreksa - August 10, 2011

    [...] Adobe Patch Day: Updates for Flash, Shockwave, and Photoshop [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 7,662 other followers

%d bloggers like this: