In two separate security updates, Adobe released new versions of its Flash Player and Shockwave Player to address vulnerabilities in the software. Both software updates address critical vulnerabilities and Adobe recommends users update their product installations to the latest versions.
The security issues addressed in Adobe Flash Player 11.5.502.149 and earlier versions affect all operating systems, resolving flaws that could cause a crash and potentially allow an attacker to take control of the affected system. Security updates for Adobe Shockwave Player 11.6.8.638 and earlier versions fix flaws that affect the Macintosh and Windows platforms, “[addressing] vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system,” the company said.
Adobe’s Flash Player update fixes a combined 17 flaws (CVEs), as indicated below:
- This update resolves buffer overflow vulnerabilities that could lead to code execution (CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-1365, CVE-2013-1368, CVE-2013-0642, CVE-2013-1367).
- This update resolves use-after-free vulnerabilities that could lead to code execution (CVE-2013-0649, CVE-2013-1374, CVE-2013-0644).
- This update resolves an integer overflow vulnerability that could lead to code execution (CVE-2013-0639).
- This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2013-0638, CVE-2013-0647).
- This update resolves a vulnerability that could result in information disclosure (CVE-2013-0637).
The software update for Adobe Shockwave Player fixes two flaws, described in more detail below:
- This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2013-0635).
- This update resolves a stack overflow vulnerability that could lead to code execution (CVE-2013-0636).
Users of Adobe Flash Player 11.5.502.149 and earlier versions for Mac OS X should download the 16.15 MB update to Adobe Flash Player 11.6.602.167 as soon as possible. Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.6.602.167 for Mac, Linux, and Windows platforms. Users of Adobe AIR 3.5.0.1060 and earlier versions for Mac should download the 26.6 MB update to Adobe AIR 3.6 (version 3.6.0.597). Lastly, users of Adobe Shockwave Player 11.6.8.638 and earlier versions for Mac and Windows should download the 12.9 MB update to the newest Shockwave Player version 12.0.0.112.