Adobe issued two security bulletins on Tuesday, fixing a critical security vulnerabilities in Shockwave Player, and another affecting its RoboHelp authoring product.
The company’s Product Security Incident Report Team (PSIRT) issued two security bulletins Tuesday, identified as APSB12-02 and APSB12-04. The most serious of them fixes nine security holes in Shockwave Player Version 126.96.36.1993 and earlier that could allow an attacker to run malicious code on an unpatched system.
The Shockwave holes include memory corruption hand heap overflow vulnerabilities in the Shockwave 3D Asset, a standard component that allows Shockwave Player to open and view certain 3D format files. The 3D asset has been the source of critical vulnerabilities, before. Notably: Adobe patched a series of holes in Shockwave related to the 3D Asset in June, 2011. (APSB11-17)
In a separate bulletin, APSB12-04, Adobe fixed a hole in its RoboHelp online help authoring tool that could allow a an attacker to launch a cross site scripting attack using RoboHelp for Word. That patch applied to RoboHelp 9 for Word for Windows and was rated “Important.”
Adobe advised customers running vulnerable versions of the affected software to apply the patches at their earliest convenience.
Adobe’s software, including Reader, Flash and Shockwave, are top targets of malicious attacks because they are so widely used. In January, Adobe Director of Product Security Brad Arkin revealed that a vulnerability in the Adobe Reader 9 software was used in a series of very targeted attacks against firms in the defense industrial base, including defense contractor Lockheed Martin.
In a recent interview with Threatpost, Arkin said that Adobe has learned to focus its security efforts on making exploits of vulnerabilities harder to realize, rather than trying to weed out holes in its products’ source code.