Adobe Fixes Critical Bugs In Flash Player, Media Server
Altogether, Adobe issued three updates, given the highest severity rating of critical, for Flash Player, Flash Media Server and Audition, and released an update with the slightly less severe ranking of "important." A critical designation usually indicates that the vulnerability could be exploited remotely by hackers with little or no user intervention
Adobe released a comprehensive critical update for Adobe Flash Player , fixing numerous memory corruption, integar overflow and bound checking vulnerabilities in version 10.2.159.1 and earlier for Windows, Mac, Linux and Solaris and version 10.2.157.51 and earlier version for Android.
Thus far, reports are circulating that an attack exploiting some of the Flash Player vulnerabilities is active in the wild, spreading via a Flash file embedded in a Microsoft Word or Excel file, and delivered as an e-mail attachment targeting Windows.
"However, to date, Adobe has not obtained a sample that successfully completes an attack," Adobe said in its advisory.
In a successful attack scenario, hackers could cause an application to crash or infiltrate and take control of an affected system by sending an infected Flash file in a Word or Excel document, and then enticing users to open it.
Additionally, Adobe repaired two critical vulnerabilities in Flash Media Server 4.0.1 and earlier versions and Flash Media Server 3.5.5 and earlier for Windows and Linux. Specifically, the update resolves a memory corruption issue that could enable hackers to execute code remotely on users' systems, as well as a data corruption issue, which could open the door for denial of service attacks.
Adobe also patched two critical flaws in Audition 3.0.11 and earlier versions for Windows. One of the vulnerabilities could enable attackers to run malicious code on an affected system if they convinced a user to open a malicious binary Audition Session file.
However, Adobe said that one mitigating factor was that the Audition Session file format, "is an older format that is no longer supported with the release of Adobe Audition CS5.5. Adobe is not aware of any in-the-wild attacks exploiting the vulnerability."
Adobe recommended to users that they discontinue the use of Adobe Session file format and switch to the XML session format, a readable standard for electronically encoding documents.
Meanwhile, Adobe also squashed two memory corruption bugs identified as "important" in RoboHelp 8, RoboHelp 7, RoboHelp Server 8 and RoboHelp Server 7 which could lead hackers to execute malicious code on users' systems.
If successfully exploited, hackers could use a malicious URL to create a cross-site scripting attack on RoboHelp installations.
As usual, Adobe recommends that users apply the updates as soon as possible to reduce the risk of attack.