Adobe fixes flaws in Flash Player, ColdFusion

Summary:The software firm has issued patches for critical vulnerabilities in Flash Player, and hot fixes for affected ColdFusion products

Adobe has released fixes for security flaws in its Flash Player and ColdFusion application server.

The software maker released the updates on Wednesday. According to Adobe, the critical vulnerabilities were identified in Flash Player 9.0.124.0 and earlier versions, and the fixes do not apply to those who have already upgraded to version 10.0.12.36. Users who cannot move to Flash Player 10 can get a patched version of its predecessor, version 9.0.151.0.

On the release of the free download of Flash Player 10 in October, Adobe claimed that more than 98 percent of internet-enabled desktops use the multimedia and web-application player, and that more than 80 percent of videos watched online are delivered using the product.

One of the Flash Player fixes changes the way the application interprets HTTP response headers, so as to prevent cross-site scripting attacks. Others aim to stop potential DNS rebinding attacks, HTML injection "issues" and non-root domain policy bypasses. Two of the patches are targeted at stopping information disclosure that could take place through the Flash Player ActiveX control and the software's interpretation of jar: protocols in Mozilla browsers.

The vulnerability in ColdFusion, Adobe's web-application development software, "could allow a lower-privileged user to bypass sandbox security and access sensitive information, and could potentially lead to a privilege escalation attack", Adobe said on Wednesday. Although the flaw is not remotely exploitable, the company has warned that it is "particularly applicable to ColdFusion servers in a shared hosting environment".

Adobe has identified ColdFusion 8, ColdFusion 8.0.1 and ColdFusion MX 7.0.2 Solution as vulnerable products, and has issued a hot fix that can be downloaded from the company's security site.

Topics: Security

About

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't be paying many bills. His early journalistic career was spent in general news, working behind the scenes for BBC radio and on-air as a newsreader for independent stations. David's main focus is on communications, of both... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.