Adobe Patch Day: Updates for Reader X, Flash, and Shockwave Player

Severity: High

Summary:

  • These vulnerabilities affect: Shockwave Player, Flash Player, Reader X, and Acrobat X
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released three security bulletins describing vulnerabilities in many of their popular software packages, including Shockwave Player, Flash Player, and Reader and Acrobat X.

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize these three Adobe security bulletins below:

  • APSB12-16: Multiple Reader and Acrobat  Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 20 vulnerabilities that affect Adobe Reader and Acrobat X 10.1.3 and earlier, running on Windows and Macintosh.  Adobe doesn’t describe the flaws in much technical detail, but does note that most of them involve buffer overflow and memory corruption issues. Almost all of them share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit any of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB12-17: Five Shockwave Memory Corruption Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin warns of five unspecified memory corruption vulnerabilities that affect Shockwave Player 11.6.5.635 and earlier for Windows and Macintosh. All five flaws share the same impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

Adobe Priority Rating: 2 (Patch within 30 days)

  • APSB12-18: Flash Player Code Execution Vulnerability

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Adobe’s bulletin describes a serious flaw that affects Flash Player 11.3.300.270 and earlier for all platforms. They don’t describe the  vulnerability (CVE-2012-1535) in detail, but they do describe its impact. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit this flaw to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe also warns that attackers are currently exploiting this flaw in the wild via malicious Word documents, which target Windows users. We highly recommend you patch Flash Player immediately

Adobe Priority Rating: 1 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

18 Responses to “Adobe Patch Day: Updates for Reader X, Flash, and Shockwave Player”

  1. Running an admin point install, fails on the AdobeArmHelper.exe could not be found in data1.cab. “It could indicate a network error, a problem with this CD-ROM or a problem with this package”. Lol. Circus. Bring on 10.1.5, maybe it’ll bring world peace.

  2. Navy maintains no such experiment occurred. Only in the final decade
    has there been an explosion on solar conversion technologies.

  3. One that doesn’t allow you to die completely.” Die? As she moved to climb up the beasts fell more than, crashing through the railing.

  4. Bobbi Leder: Did you take any supplements or protein shakes?
    Females’s Overall health.

  5. This is a relatively easy dish to make, especially if you have the
    base sauce made ahead of time. Poach the chicken for 20 minutes or until firm when touched
    remove the pan from the heat, uncover, cool the chicken in the liquid for half an hour.
    You can also leave out the prosciutto and lettuce, cube the mango, and serve it as a salsa
    to accompany meat or fish dishes.

  6. Come on and enjoy the special free offer of leading Vo – IP service provider Phone Kall.
    If we’ve left out one of your favorite calling apps on Black –
    Berry then please leave a comment below. Customers just need to verify with the company regarding
    the number of minutes they can talk per month.

  7. Foods to be eliminated: bananas, strawberries, kiwis, citrus fruits,
    corn, pineapples and papayas, plus nightshade vegetables such as eggplants, peppers, potatoes,
    and tomatoes. You may think your Candida infection is uncomfortable, painful and downright annoying but did you know that if left untreated Candida can be
    potentially life threatening. Leaky stomach syndrome in partnership with autism continues to be researched; a number of studies along with
    study are under method to greater know how your syndrome begins,
    the reason why it can be common within autistic kids, and the way to address it.

  8. The Sarver research team, together with experts from the Arizona Department of Health Services, evaluated survival rate data of victims of cardiac
    arrest. Knowing the common diagnosis and the common treatments will
    ready you for the practice scenarios and testing mega codes.

    Waiting for proper health care may claim the crucial five minutes
    and bring the patient too close to death.

  9. Further analysis revealed that identity theft
    costs about $4865 per person violated, yet identity protection services cost
    around $250 per year. You might also keep in mind that
    most identity thieves have no problem with dumpster
    diving, and obtaining your information from your trash.
    Delete items such as internet history, internet cache,
    temporary internet files and browser tracking cookies,
    all of which can house valuable financial and personal information.

  10. Who should attend: Crime Scene Investigators, Law Enforcement Professionals, Registered nurses, Forensic Nurses, EMS Professionals
    and other healthcare professionals interested in learning more
    about the evaluation, documentation, pathology and pathophysiology of the submerged victim.
    CPR does not change ventricular fibrillation to a normal heart rhythm.
    In female patients, the elderly, and those with diabetes there is a higher occurrence of atypical presentation.

  11. I tried taking a picture of it, but it really doesn’t show in picture, which has been a blessing or else I would have taken this hair out already.
    Finger-dry, or use a wide-toothed comb instead of a brush to gently remove the knots.
    I wrap my hair every night and I tie it down with a scarf.

  12. They have all of the necessary forms and will handle everything for you.
    Check from the outside and make sure it’s a good one.
    Before searching for e – Bay wholesale products it is wise to consider exactly what sort of
    items you wish to sell.

  13. The French country style home is considered as one of the most luxurious and exquisite homes in the area.
    What you can do is to contact them and see how
    they respond to your request and queries. So, when they buy a custom essay, they actually cheat.

  14. By using existing internet connections organizations can view and document any time.
    In this matter, client computer directly reveals services
    for control node. Think about it ‘ While technology saves your business from using physical resources, it
    can also have negative effects on the environment you weren’t even aware
    of.

  15. needs the income, too, in order to avoid alternative methods
    of taxing its citizens. At first, I would occasionally use the Internet simply for fun-to read anecdotes or
    chat on ICQ. A good portion of sufferers have been those who want pornographic materials.

  16. Superb site you hav here but I was curious if you knew of any message boards that cover the same topics discussed in this article?
    I’d reall like to be a part of group where I can get feedbadk from other knowledgeable peopl that share the
    same interest. If yyou have any recommendations, please let
    me know. Kudos!

Trackbacks/Pingbacks

  1. Adobe Flash Player Patch Tuesday Repeat | WatchGuard Security Center - August 24, 2012

    [...] endured a busy Patch Tuesday, which included a pile of security updates from Microsoft and Adobe. Adobe’s patch day included big updates for Reader, ShockWare, and Flash. Unfortunately, Adobe wasn’t quite [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 7,678 other followers

%d bloggers like this: