Tactical Advice

Adobe Patches Critical Vulnerabilities for Shockwave and Flash Players

Updates address flaws that could allow attackers to remotely control or exploit systems with these widely used media players installed.
Adobe Patches Critical Vulnerabilities for Shockwave and Flash Players
Credit: iStock/ThinkStockPhotos

Adobe Systems recently released a pair of important security patches for its Shockwave and Flash players. With the updates, the software company addressed critical vulnerabilities in its popular platforms for displaying animated and video content over the web.

The Shockwave Player flaws, if left unpatched, could allow an attacker to remotely control affected PCs and Macs. According to an Adobe security advisory, the update addresses a pair of memory corruption vulnerabilities, CVE-2014 and CVE-2014-050, that could lead an outside entity to execute code. It released the fixes a week ago as part of the latest edition of Shockwave Player, version 12.0.9.149, and gave the update a priority rating, recommending its installation on any machines running Shockwave Player 12.0.7.148 and earlier.

Liangliang Song, a researcher at Fortinet's FortiGuard Labs, reported the security issues to Adobe.

More than 450 million Internet-enabled desktops have Shockwave Player installed as a browser plug-in, according to Adobe. It is used for viewing 3D games and entertainment, interactive product demonstrations, online learning applications and other types of web content created using Adobe Director software.

Last week’s Shockwave Player security update arrived only a week after Adobe released an emergency update to address a flaw in its Flash Player. Discovered by Kaspersky Lab researchers, that flaw was already being used by hackers in the wild to target computers with malware via email attachments.

Kaspersky researchers Alexander Polyakov and Anton Ivanov discovered 11 Flash exploit (SWF) files that were directed at the Flash vulnerability. One of these contained an executable file payload.

According to a Kaspersky blog post about the vulnerability, all of the exploits attack the same vulnerability as unpacked SWF files and have an ActionScript code for performing an operating system version check:

We discovered that these exploits had been detected on three different user machines, one of which worked under Mac OS 10.6.8 and the other two under Windows 7. On the Mac user’s machine, the exploits were detected in an email attachment. On the Windows 7 machines, they were in a browser cache, but this does not mean the files were not loaded from an email attachment, since Outlook can call Internet Explorer components to open files.

Judging by the IP addresses, all these users are located in China. The browser used was SogouExplorer, which originates from China, and the mailbox was hosted on 163.com. All of this may be an indication that the .docx document with the 0-day exploit was distributed via a targeted email mailing.

Adobe released updated versions of Flash Player for Windows, Mac and Linux to address the problem. Affected versions of the applications include Flash Player 12.0.0.43 and earlier for Windows and Mac, as well as Flash Player 11.2.202.335 and earlier for Linux. If you are running those versions of Flash, it is recommended you install the update immediately.

Sign up for our e-newsletter

About the Author

James Alan Miller

James is a veteran technology journalist with many years’ experience creating and developing magazine and online content. He is passionate about mobile tech, music and running — when the stars align.  Follow him on Google+ and Twitter:

Security

Three Ways to Integrate Fire... |
Follow these tips to align the devices with log management and incident tracking systems.
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...