Adobe patches critical flaws in Reader, Acrobat, Flash Player and Illustrator
All of the security updates address remote code execution vulnerabilities
IDG News Service - Adobe Systems released critical security updates for several products Tuesday in order to fix vulnerabilities that could allow attackers to take remote control of systems running the vulnerable software.
The products that received security patches were Flash Player, the Adobe AIR SDK (software development kit) and Compiler for building rich Internet applications, Adobe Reader, Adobe Acrobat, and Adobe Illustrator for CS6 (Creative Suite 6).
While security updates for Flash Player, AIR, Reader and Acrobat are released on a monthly basis, security patches for Illustrator, especially critical ones, are rare, the previous one being released two years ago.
In a security advisory Adobe said that the new Illustrator hotfix addresses a vulnerability that could be exploited to gain remote code execution on the affected system, but didn't specify how. The company recommends that users of Adobe Illustrator on Windows and Mac upgrade to the newly released 16.2.2 or 16.0.5 versions, depending on whether they're on a subscription or not.
The new Flash Player versions released Tuesday, 22.214.171.124 for Windows and Mac and 126.96.36.1999 for Linux, fix a total of six vulnerabilities. One of them, identified as CVE-2014-0510, could result in arbitrary code execution and was demonstrated by members of Keen Team and Team 509 during the Pwn2Own hacking competition in March.
One of the other patched vulnerabilities could be exploited to bypass the same origin policy, an important security feature that prevents content loaded from different websites from interacting with each other, and the remaining four could be used to bypass different security protections in the program.
The Flash Player versions distributed with Google Chrome, Internet Explorer 10 and Internet Explorer 11 will automatically be updated through the update mechanisms of those browsers.
The same vulnerabilities were also fixed in the newly released Adobe AIR 188.8.131.52 SDK and Adobe AIR 184.108.40.206 SDK and Compiler, which bundle Flash Player.
Adobe Reader and Acrobat X and XI were updated to versions 11.0.07 and 10.1.10 in order to fix ten remote code execution flaws, one sandbox bypass and one information disclosure vulnerability. One remote code execution flaw, CVE-2014-0511, and the sandbox bypass, CVE-2014-0512, were used by a team from French vulnerability research firm Vupen during the Pwn2Own contest.
The Adobe Reader and Flash security updates received a priority rating of 1 from Adobe. This indicates that the company considers them to be easily exploitable once the patches have been reverse engineered, said Wolfgang Kandek, the chief technology officer at Qualys, via email. "Note that Adobe also does not provide patches for Windows XP anymore."
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts