Vulnerability Management

Adobe issues critical updates for Flash, Shockwave

On the heels of a large Patch Tuesday load from Microsoft, Adobe on Tuesday released a slew of security updates affecting several of its products.

"Critical" updates were released for Flash Player, Flash Media Server, Shockwave Player and Photoshop CS5. In addition, an “important” update was released for Adobe's help-authoring tool RoboHelp.

Adobe said it is not aware of any in-the-wild exploits targeting any of the issues addressed in its updates Tuesday.

The Flash Player update is the largest of the lot, addressing 13 critical flaws that could cause a crash or allow an attacker to take control of an affected system, Adobe said in its release. The fix addresses issues in version 10.3.181.36 and earlier editions for Windows, Mac, Linux and Solaris operating systems, as well as version 10.3.185.25 and earlier for Android and Adobe AIR 2.7.

The update for Adobe's multimedia viewer Shockwave Player corrects seven critical vulnerabilities found in version 11.6.0.626 and earlier on Windows and Mac, Adobe said. The flaws could allow an attacker to run malicious code on a vulnerable system.

The patches issued Tuesday for Flash Media Server, Photoshop CS5, and RoboHelp each fix just one vulnerability, Adobe said.

Google researcher Tavis Ormandy said on Twitter Tuesday that Adobe had downplayed the number of vulnerabilities fixed in its Flash Player update. Ormandy said the update actually addresses “400 unique vulnerabilities” to which he had alerted the company.

“Apparently that number was embarrassingly high, and they're trying to bury the results,” Ormandy wrote on Twitter, adding that he plans to publish his own advisory about the bugs. He said he was seeking credit for finding the flaws.

In a bulletin about the update, Adobe acknowledged a number of researchers who reported the security issues, including Ormandy, as well as the Google Chrome team for “their great work on several improvements to this Flash Player release.”

Wiebke Lips, an Adobe spokeswoman, questioned Ormandy's claim.

“Tavis' Twitter communication was not coordinated with us,” Lips told SCMagazineUS.com in an email Wednesday. “We are assuming that he is referring to the results of an ongoing joint engineering effort between Google and Adobe. The total number of unique bugs discussed as part of that project is far less than the number Tavis provided in his tweet.”

Lips said Adobe policy is to not publicly disclose in its security bulletins the details of “internal findings."

Ormandy has previously clashed with other high-profile firms over similar issues.

Last June, Ormandy attracted a wave of criticism from members of the security community after publishing details about an unpatched Windows kernel vulnerability after giving Microsoft just five days' notice about the but. In that case, he said he went public with the information in the best interest of security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.