Tuesday, March 12, 2013

Adobe Critical Security Updates:
Flash Player 11.6.602.180,
AIR 3.6.0.6090.
And: Looking Up CVE Numbers

--
Ping - Pong. 
Tick - Tock. 
Java - Flash. 
Oracle - Adobe. 
(0_o)

This week's Flash/AIR security update is out. Here is Adobe's announcement:

Security Bulletin: APSB13-09
Adobe has released security updates for Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.273 and earlier versions for Linux, Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe recommends users update their product installations to the latest versions:

Users of Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.6.602.180.

. . .

Users of Adobe AIR 3.6.0.597 and earlier versions for Windows, Macintosh and Android should update to Adobe AIR 3.6.0.6090.

. . .

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2013-0646).

These updates resolve a use-after-free vulnerability that could be exploited to execute arbitrary code (CVE-2013-0650).

These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2013-1371).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2013-1375).

LOOKING UP CVE NUMBERS

If you'd like to know more about each CVE security hole, go to the Mitre.org CVE Search page, linked at the right, and enter each CVE code number (only) into the search box, and hit the Search button. (Leave off the 'CVE-' characters). Here is an example entry, along with the result:


If nothing about the CVE is yet listed at Mitre.org, try searching at SecurityTracker and SecurityFocus, also linked at the right. These two websites often have the dirt on a CVE security hole before it is approved for publication at Mitre.org. 

For Masochists Only: You can try searching for CVEs at the National Vulnerability Database (NVD) Search Vulnerabilities page, linked below. But I don't recommend it. Why? The site is a POS: Typical US government incompetent crap from hell. And I don't care what 'party' is in power. Major incompetent suckage is the rule. Example: At this very moment I cannot connect to the NVD website. My web browsers tell me: "Can't connect to the server "web.nvd.nist.gov". That's not acceptable. Also not acceptable is when the website is up and 'running' but the searches FAIL. Therefore, what is the point of the worthless NVD website? But if you just gotta try it:

http://web.nvd.nist.gov/view/vuln/search

... Told you so. This is how seriously the U.S. government takes computer security. :-P

--

No comments:

Post a Comment