Adobe has released fixes for security flaws in its Flash Player and ColdFusion application server.
The software maker released the updates on Wednesday. According to Adobe, the critical vulnerabilities were identified in Flash Player 220.127.116.11 and earlier versions, and the fixes do not apply to those who have already upgraded to version 10.0.12.36. Users who cannot move to Flash Player 10 can get a patched version of its predecessor, version 18.104.22.168.
On the release of the free download of Flash Player 10 in October, Adobe claimed that more than 98 percent of internet-enabled desktops use the multimedia and web-application player, and that more than 80 percent of videos watched online are delivered using the product.
One of the Flash Player fixes changes the way the application interprets HTTP response headers, so as to prevent cross-site scripting attacks. Others aim to stop potential DNS rebinding attacks, HTML injection "issues" and non-root domain policy bypasses. Two of the patches are targeted at stopping information disclosure that could take place through the Flash Player ActiveX control and the software's interpretation of jar: protocols in Mozilla browsers.
The vulnerability in ColdFusion, Adobe's web-application development software, "could allow a lower-privileged user to bypass sandbox security and access sensitive information, and could potentially lead to a privilege escalation attack", Adobe said on Wednesday. Although the flaw is not remotely exploitable, the company has warned that it is "particularly applicable to ColdFusion servers in a shared hosting environment".
Adobe has identified ColdFusion 8, ColdFusion 8.0.1 and ColdFusion MX 7.0.2 Solution as vulnerable products, and has issued a hot fix that can be downloaded from the company's security site.