Adobe Systems Inc. issued two separate security updates this week to address multiple vulnerabilities discovered in its Flash and Shockwave media products.
Coinciding with Microsoft's March Patch Tuesday release, the Flash Player update, now on version 18.104.22.168 for the Windows and Mac platforms, fixed two vulnerabilities. If successfully exploited, CVE-2014-0503 could be used to bypass the same-origin policy, and CVE-2014-0504 could be used by attackers to read the content copied to a clipboard. The vulnerabilities were rated as 6.4 and 5.0 respectively on the Common Vulnerability Scoring System, or CVSS, though both were remotely exploitable and don't require any sort of authentication, resulting in the highest exploitability subscore possible.
Adobe ranked the Flash update as a 2 on its priority rating scale, meaning the company is unaware of any active or imminent exploits taking advantage of the vulnerabilities. The company advises users to install the updated Flash version within 30 days.
"Unless you are patching your endpoints multiple times each month, that puts the Flash update to a high priority in our opinion," wrote Shavlik Technologies product manager Chris Goettl in a blog post. "The other two Flash updates we have seen so far this year (Jan. 14 and Feb. 4) resolve three additional high-priority CVEs. Long story short, UPDATE FLASH!"
On Thursday, Adobe also updated its Shockwave media player software, now on version 22.214.171.124 for Windows and Mac machines. The update patches a memory-corruption vulnerability, CVE-2014-0505, which, if successfully exploited, would give attackers the ability to execute arbitrary code. Adobe also rated the Shockwave update a 2 on its priority scale, meaning it is unaware of any active exploits utilizing the vulnerability but users should still update Shockwave in a timely manner.