This week it’s no secret that the Fortinet team that has been hitting it pretty hard on the Adobe front.
For San Jose, Calif.-based Adobe, Valentine’s Day came with a bang when researcher Honggang Ren of Fortinet’s FortiGuard Labs detected a total of seven out of nine critical vulnerabilities in Adobe’s Shockwave Player 184.108.40.2063 (CVE-2012-0757, CVE-2012-0760, CVE-2012-0761, CVE-2012-0762, CVE-2012-0763, CVE-2012-0764, CVE-2012-0766) and earlier versions for both Windows and Mac OS X. According to Ren, the memory corruption vulnerabilities were due to access violation caused by an invalid pointer.
All of the vulnerabilities were given the highest severity rating of “critical,” indicating that the Shockwave Player flaws could enable a hacker to run malicious code remotely on an affected user’s system in an attack designed to steal data, log keystrokes or potentially crash Microsoft’s Internet Explorer browser.
Adobe already has a fix in place, and recommends that users upgrade Shockwave Player to the newest version 220.127.116.114, available on the Adobe website.
Meanwhile, FortiGuard researcher Xu Liu, of FortiGuard Labs, bolstered the Fortinet team effort when he detected a critical memory corruption vulnerability (CVE-2012-0751) in Adobe’s Flash Player 18.104.22.168 and earlier versions affecting a Windows ActiveX control. The flaw was one of seven critical vulnerabilities addressed in the Flash Player update, which affected all platforms, as well as Adobe Flash Player 22.214.171.124 and earlier versions for Android 4.x and Flash Player 126.96.36.199 and earlier versions for Android 3.x and 2.x.
As with many critical vulnerabilities, a successful exploit could open the door for a remote attacker to run arbitrary code that could compromise the victim’s computer or crash the system.
In addition, the Flash Player update, released Wednesday, also resolved a universal cross-site scripting error (CVE-2012 0767) that could be exploited by hackers to “take actions on a user’s behalf” on any website or webmail service if they were to visit a malicious site. Reports are circulating that the cross-site scripting flaw is being exploited in active in-the-wild attacks that trick users into clicking on a malicious link delivered over e-mail running on IE or Windows OS.
Because these flaws are designated with the highest severity rating of “critical,” it’s best that users update as soon as possible to Adobe Flash Player 188.8.131.52, acquired from the Adobe Flash Player Download Center, or to Flash Player 184.108.40.206. for Android 4x, and Flash Player 220.127.116.11 for Android 3x from the Android Marketplace.
Fortinet’s collective one-two punch is hardly an anomaly, given that since 2008, FortiGuard Labs researchers have reported 131 vulnerabilities, 99 of which have been disclosed and fixed by the appropriate vendors.
For more information on unpatched vulnerabilities detected by the FortiGuard research team, you can view the FortiGuard site here.
Leave a reply