Friday, May 13, 2016

Adobe Flash In-The-Wild Exploit Patched:
Flash v21.0.0.242, AIR v21.0.0.215
Plus ColdFusion Hotfixes

--

Adobe has released Flash v21.0.0.242 and AIR v21.0.0.215. The patch blocks an in-the-wild exploit of Flash. There is a total of 25 CVE patches. Presumably, this patch is two days later than Adobe's usual 'second Tuesday of the month' patching schedule due to the late discovery of the ongoing exploit.

Download Flash Update
Download Air Update

The security bulletin is HERE.
Vulnerability Details

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1105, CVE-2016-4117).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1097, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4110).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-1101).

These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2016-1103).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1096, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1102, CVE-2016-1104, CVE-2016-4109, CVE-2016-4111, CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115).

These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4116).
Also of note:

Adobe has released security hotfixes for ColdFusion versions 10, 11 and the 2016 release.

The security bulletin is HERE.
Vulnerability Details 
These hotfixes resolve an important input validation issue (CVE-2016-1113) that could be abused to conduct cross-site scripting attacks.

These hotfixes include an updated version of the Apache Commons Collections library to mitigate an important Java deserialization vulnerability (CVE-2016-1114).

These hotfixes resolve a moderate host name verification problem affecting wild card certificates (CVE-2016-1115).
Hopefully, that's the end of Adobe security patches for May. (0_o)

--

No comments:

Post a Comment