Adobe’s July Patch Release Fixes Bugs in Flash, Shockwave, ColdFusion

Author: Michael Mimoso
minute read

Adobe’s July security updates include patches for Flash Player, Shockwave Player and ColdFusion vulnerabilities.

Adobe today released its monthly round of security updates with patches available for Flash Player, Shockwave and ColdFusion.

None of the vulnerabilities are being exploited in the wild, according to Adobe.

The flaws in Flash Player and Shockwave could allow hackers to remotely install and run malware on the underlying system hosting the Adobe software. The ColdFusion bugs could allow someone to remotely call a public method on ColdFusionComponents using WebSockets, or cause a denial-of-service condition on a ColdFusion server.

ColdFusion vulnerabilities have been responsible for a number of data breaches this year, including one reported in May against the Washington state court system. Hackers accessed court systems and stole data on as many as one million Washington residents and had access to 160,000 Social Security numbers and driver’s license numbers of a million others. Officials were never clear on the flaws in ColdFusion that were exploited in that attack, but the application server software was patched in May, and again today.

ColdFusion 10 for Windows, Mac and Linux are impacted by the vulnerabilities, as are versions 9.0.2, 9.0.1 and 9.0 on JRun. The version 10 vulnerabilities were given the highest criticality rating by Adobe, while the others were rated important.

ColdFusion 10 users, Adobe said, are not affected by the denial of service vulnerability affecting the versions running on JRun; CVE-2013-3349 has been reserved for the JRun vulnerabilities while CVE-2013-3350 has been reserved for the ColdFusion 10 flaws.

The Flash Player bulletin addresses three vulnerabilities affecting Adobe Flash Player 11.7.700.224 and earlier versions for Windows, Adobe Flash Player 11.7.700.225 and earlier versions for Macintosh, Adobe Flash Player 11.2.202.291 and earlier versions for Linux, Adobe Flash Player 11.1.115.63 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.59 and earlier versions for Android 3.x and 2.x.

The vulnerabilities on the Windows and Macintosh platforms were given the highest priority rating by Adobe and users are urged to upgrade to version 11.8.800.94 or 11.7.700.232 for Windows and Mac.

Finally, one vulnerability was patched in Shockwave Player 12.0.2.122 and earlier for Windows and Macintosh; CVE-2013-3348 was reserved for this bug. Hackers exploiting this bug could remotely inject a malicious file onto a website and compromise a visitor.

Shockwave was last patched in April.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.