October 26, 2014

Adobe updates Flash Player, Shockwave Player and Acrobat Reader to close security vulnerabilities but Google issues warning

(LiveHacking.Com) – Adobe has released a series of security advisories about its Flash Player, Shockwave Player and Acrobat Reader to close security vulnerabilities. As a result of the updates Google has released a new version of the Chrome web browser but they have also issued a warning about using Acrobat Reader on Windows (as there are still Critical vulnerabilities which are unfixed) and on Linux which was not patched at all. Gynvael Coldwind of the Google Security Team said “we consider users of Adobe Reader to be exposed to serious risk.”

According to the Google security researchers, Adobe Reader for Linux users are exposed to all the known critical vulnerabilities, while Adobe Reader for Windows and Mac OS X users are currently vulnerable to up to 6 and 10 unpatched issues (respectively).

What Adobe did patch for its PDF reader affects Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. The updates address vulnerabilities in the software that could cause the application to crash and potentially allow an attacker to take control of the affected system. The new versions fix stack and buffer overflow vulnerabilities as well as memory corruption vulnerabilities. In the security advisory Adobe thanks Mateusz Jurczyk and Gynvael Coldwind, of the Google Security Team, for twelve of the bugs found.

Adobe has also released an update for Adobe Shockwave Player 11.6.5.635 and earlier versions on the Windows and Macintosh operating systems. The update addresses five memory corruption vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.

There is also an update for Flash Player on Windows, Macintosh and Linux. The updates address a vulnerability (CVE-2012-1535) that could cause the application to crash and potentially allow an attacker to take control of the affected system. This bug is currently being exploited in the wild via a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows.