Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Adobe December Patch Tuesday SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Adobe December Patch Tuesday

Adobe today released two new bulletins, and updaed the Reader/Acrobat bulletin that was published a week ago.

APSB14-27: Security Update for Adobe Flash Player

This update fixes 6 vulnerabilities, some of which can lead to remote code execution. Adobe rates this patch with a priority of "1", indicating that the vulnerability has already been exploited in targeted attacks.

APSB14-28: Security Update for Adobe Reader and Acrobat

This updates fixes 20 different vulnerabilities. The bulletin has a rating of 1. 

APSB14-29: Hotfixes for ColdFusion

This bulletin applies to ColdFusion 10 and 11 and fixes a denial of service vulnerability (CVE-2014-9166). The vulnerability has not been used in any exploits so far.

 

http://helpx.adobe.com/security.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3696 Posts
ISC Handler
also AIR updated from 15.0.0.293 to 15.0.0.356
Starlight

34 Posts
Hi,
I am NOT sure if this is the correct method to add a comment to this Diary article ?
As a relative newby - I am finding my way around the SANS ISC site.

My Diary comment is as follows:-

The Adobe web site is rather confused about the update status of the free Shockwave Player. According to Adobe, the latest download version is 12.1.5.155 - however, no matter what browser you use - IE, Firefox, Google Chrome, etc. - the version of code that is downloaded is the previous version 12.1.4.154.

This may pose a possible Security Risk - I will keep an eye on the Adobe Shockwave web page and see whether the download code changes.
MalcolmP

4 Posts
Quoting MalcolmP:Hi,
I am NOT sure if this is the correct method to add a comment to this Diary article ?
As a relative newby - I am finding my way around the SANS ISC site.


Indeed, it was the correct method for adding a comment. Welcome to the site! :)
Alex Stanford

136 Posts
Quoting MalcolmP:

The Adobe web site is rather confused about the update status of the free Shockwave Player. According to Adobe, the latest download version is 12.1.5.155 - however, no matter what browser you use - IE, Firefox, Google Chrome, etc. - the version of code that is downloaded is the previous version 12.1.4.154.

This may pose a possible Security Risk - I will keep an eye on the Adobe Shockwave web page and see whether the download code changes.


As an update to my previous comment - the Adobe Shockwave player web page has now been fixed by Adobe. When you click the download link, you get the correct v12.1.5.155 code package downloaded. I have downloaded and installed the latest code and it seems to work OK so far.
MalcolmP

4 Posts

Sign Up for Free or Log In to start participating in the conversation!