Adobe has rolled out crucial security updates on two of their key products, Flash Player and Shockwave Player.
This was announced through a security bulletin issued on March 14.
According to the security advisory, the updates fix 8 security flaws, or vulnerabilities, in the software.
All but one of the security vulnerabilities were categorized as critical, as they may pose a significant threat to the end user by allowing a cyber-attacker to take control of their systems or lead to an unauthorized escalation of privilege.
The vulnerabilities resolved by the updates affect Windows, Linux, Chrome OS, and Mac operating systems that run Flash Versions 184.108.40.206 and earlier.
THE PATCHED VULNERABILITIES FOR ADOBE
The vulnerabilities that affect Adobe Flash Player include: CVE-2017-2997, CVE-2017-2998, CVE-2017-2999, CVE-2017-3000, CVE-2017-3001, CVE-2017-3002, and CVE-2017-3003 on Windows 10 and 8.1, Chrome OS, Linux, and Macintosh platforms as well.
- CVE-2017-2997 reported by Tao Yan of Palo Alto Networks is a buffer overflow security vulnerability through which hackers can execute code.It may enable the customization of advertising information as well.
- CVE-2017-2998 and 2999 are memory corruption vulnerabilities that can facilitate remote code execution.They are present within Primetime TVSDK API.It was reported by Tao Yan.
- CVE-2017-3000 is a random number generator exploit employed for constant blinding.This security flaw can lead to information disclosure. It was reported by Wang Chenyu and Wu Hongjun.
- CVE-2017-3001, 3002, and 3003 are use-after-free vulnerabilities that can enable code execution.They were found in the Action Script 2 VM garbage collection, Flash Action Script 2 Text Field Object, as well as in interaction between Action Script 2 Camera Object and the privacy user interface.These security flaws were reported by Qihoo 360 Vulcan Team’s Yuki Chen.
The affected software version includes version 24.0.0221 (and earlier) of the desktop runtime (priority rating 1), AFP for Google Chrome (priority rating 1), as well as the flash player compatible with Microsoft Edge (priority rating 1) and Internet Explorer.
The desktop runtime vulnerabilities on Linux OS had a priority rating of 3.
Adobe’s security bulletin also included directions on how users can determine the version of Adobe Flash Player installed on their systems if found to contain these vulnerabilities.
To verify the product version, users can right-click on flash content and locate About Adobe/Macromedia Flash Player’ on the menu list.
Users utilizing several browsers should repeat the process for each browser they have installed on their system as required.
The company has advised all product to users to update Flash Player to the latest version (Version 220.127.116.11) and provide the respective update mechanisms for the supported operating systems.
The versions installed with Google Chrome, Microsoft Edge (Windows 10), and Internet Explorer 11 (Windows 8.1) will be updated automatically to their latest versions.
This applies to the users who have activated the Allow Adobe to install updates’ option.
SECURITY UPDATES FOR ADOBE SHOCKWAVE PLAYER
The vulnerability affecting Adobe Shockwave Player for Windows is CVE-2017-2983.
The vulnerability has been labeled as important, as it has the potential to facilitate unauthorized privilege escalations.
CVE-2017-2983 is an insecure library loading (dynamic-link library hijacking) exploit that is present in the directory search path that is employed to find the privileged resources.
The security flaw was reported by Nitesh Shilpkar who worked with the company to help resolve the potential vulnerabilities.
The affected software versions are 18.104.22.168 and earlier running on the Windows platform.
Adobe has categorized this security update with a priority rating of 2, and has advised Adobe Shockwave users to promptly update their installations to the latest version (Version 22.214.171.124).
The company has also provided the update mechanism for this product.
It is important to note that there are no reports of the above vulnerabilities being exploited to date.
However, this should not make the vulnerabilities seem less of a threat to users.
These updates follow the resolution of 13 security issues by the company in February that enabled hackers to exploit remote code execution vulnerabilities in Adobe.