Adobe has not only joined Microsoft on the Patch Tuesday parade, but it too has critical vulnerabilities being exploited in the wild while a security update is in the works. Two patches were released today for Acrobat/Reader and Flash Player, yet the company has said that fixes for three ColdFusion flaws being exploited will be released Jan. 15.
Microsoft released seven security updates today and said it is working on an Internet Explorer update that will address a zero-day vulnerability being exploited in a series of watering hole attacks.
The Acrobat and Reader updates are rated critical on Windows for version 9.5.3; Adobe said there are no active exploits but this is the most likely avenue for attack. The updates patch vulnerabilities that could crash the applications and allow an attacker to remotely control a computer running the vulnerable software.
The updates are for Reader and Acrobat 11.0.0 and earlier versions for Windows and Mac and Reader 9.5.1 and earlier 9.x for Linux.
Adobe also updated Flash Player, addressing vulnerabilities that could crash the player and enable an attacker to control the victim’s computer. The security update is for Flash Player 11.5.502.135 and earlier on Windows and 11.5.502.136 on Macintosh. Linux and Android versions of Flash were also patched.
Microsoft also released a complementary update of Flash Player for Internet Explorer 10 for Windows 8, Windows Server 2012 and Windows RT. The update targets Flash libraries within IE 10 as well as the vulnerabilities addressed in the Adobe update.