Adobe today released its monthly round of security updates with patches available for Flash Player, Shockwave and ColdFusion.
None of the vulnerabilities are being exploited in the wild, according to Adobe.
The flaws in Flash Player and Shockwave could allow hackers to remotely install and run malware on the underlying system hosting the Adobe software. The ColdFusion bugs could allow someone to remotely call a public method on ColdFusionComponents using WebSockets, or cause a denial-of-service condition on a ColdFusion server.
ColdFusion vulnerabilities have been responsible for a number of data breaches this year, including one reported in May against the Washington state court system. Hackers accessed court systems and stole data on as many as one million Washington residents and had access to 160,000 Social Security numbers and driver’s license numbers of a million others. Officials were never clear on the flaws in ColdFusion that were exploited in that attack, but the application server software was patched in May, and again today.
ColdFusion 10 for Windows, Mac and Linux are impacted by the vulnerabilities, as are versions 9.0.2, 9.0.1 and 9.0 on JRun. The version 10 vulnerabilities were given the highest criticality rating by Adobe, while the others were rated important.
ColdFusion 10 users, Adobe said, are not affected by the denial of service vulnerability affecting the versions running on JRun; CVE-2013-3349 has been reserved for the JRun vulnerabilities while CVE-2013-3350 has been reserved for the ColdFusion 10 flaws.
The Flash Player bulletin addresses three vulnerabilities affecting Adobe Flash Player 11.7.700.224 and earlier versions for Windows, Adobe Flash Player 11.7.700.225 and earlier versions for Macintosh, Adobe Flash Player 126.96.36.1991 and earlier versions for Linux, Adobe Flash Player 188.8.131.52 and earlier versions for Android 4.x, and Adobe Flash Player 184.108.40.206 and earlier versions for Android 3.x and 2.x.
The vulnerabilities on the Windows and Macintosh platforms were given the highest priority rating by Adobe and users are urged to upgrade to version 11.8.800.94 or 11.7.700.232 for Windows and Mac.
Finally, one vulnerability was patched in Shockwave Player 220.127.116.11 and earlier for Windows and Macintosh; CVE-2013-3348 was reserved for this bug. Hackers exploiting this bug could remotely inject a malicious file onto a website and compromise a visitor.
Shockwave was last patched in April.