Español (España)
Adobe has published six security bulletins to announce the necessary updates to solve 36 vulnerabilities in Flash (0day), one in the DNG Software Development Kit (SDK), two in Brackets, two in Creative Cloud Desktop Application, one in Cold Fusion and one in Adobe AIR. In total 43 corrected vulnerabilities.
Flash Player
Undoubtedly the most important of the updates published is its usual monthly bulletin for Flash, this time the bulletin APSB16-18 , designed to solve up to 36 vulnerabilities. Among which is included a 0day that is currently being exploited actively. Virtually all of the problems could allow an attacker to take control of the affected systems.
Everything seems to indicate that in order to include the solution to the 0-day vulnerability (CVE-2016-4171) due to memory corruption, Adobe was forced to delay the publication of the bulletin for Flash.
Except for one vulnerability, the rest of the issues addressed in this bulletin could allow arbitrary code execution by exploiting six memory use after free vulnerabilities, two type confusion, three buffer overflows, 23 memory corruption, and a vulnerability in the directory search path used to find resources. Finally, another vulnerability that could be used to bypass the same origin policy and obtain sensitive information.
The assigned CVEs are: CVE-2016-4122 through CVE-2016-4125, CVE-2016-4127 through CVE-2016-4156, CVE-2016-4166, and CVE-2016-4171.
Likewise, as has been common in recent months, Microsoft has also published a bulletin (MS16-083), to reflect these Adobe Flash updates (including 0-day).
Adobe has published the following versions of Adobe Flash Player aimed at solving the vulnerabilities, and they are available for download from the official website:
Flash Player Desktop Runtime 22.0.0.192
Flash Player Extended Support Release 18.0.0.360
Flash Player for Linux 11.2.202.626
Version 22.0.0.192 of Flash Player has also been published for Internet Explorer, Edge and Chrome browsers.
Adobe recommends that users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update through the product's own update system or from
http://www.adobe.com/go/getflash.
Adobe Flash Player Extended Support Release users should update from:
http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.
Update Adobe Flash Player for Linux:
http://www.adobe.com/go/getflash.
ColdFusion
Adobe Security Bulletin APSB16-22 contains an update for ColdFusion versions 2016, 11, and 10. This patch is intended to address an important vulnerability related to an input validation error (CVE-2016-4159) that It could be used to carry out cross-site scripting attacks.
Users are encouraged to update their products according to the instructions provided by Adobe:
ColdFusion (2016):
http://helpx.adobe.com/coldfusion/kb/coldfusion-2016-update-2.html.
ColdFusion 11: http://helpx.adobe.com/coldfusion/kb/coldfusion-11-update-9.html.
ColdFusion 10: http://helpx.adobe.com/coldfusion/kb/coldfusion-10-update-20.html.
Adobe DNG Software Development Kit (SDK)
Adobe Security Bulletin APSB16-19 contains an update for Adobe DNG Software Development Kit (SDK) 1.4 (2012 release) and earlier, for Windows and Macintosh. This patch is intended to address a memory corruption vulnerability (CVE-2015-4167).
Version 1.4 (2016 release) has been published and is available from:
https://www.adobe.com/support/downloads/dng/dng_sdk.html.
Adobe Brackets
Adobe Security Bulletin APSB16-20 contains an update for Adobe Brackets 1.6 (and earlier) for Windows, Macintosh, and Linux. This patch is intended to address a JavaScript injection vulnerability that could be used for cross-site scripting attacks (CVE-2016-4164) and another input validation vulnerability in the extension manager (CVE-2016-4165).
Adobe has released Adobe Brackets 1.7 available from:
https://github.com/adobe/brackets/releases.
Creative Cloud Desktop Application
Adobe Security Bulletin APSB16-21 reports an update for the Creative Cloud Desktop Application for Windows. This update addresses a vulnerability in the directory search path used to find resources that could allow code execution (CVE-2016-4157) and another in the enumeration of services with paths without quotes (CVE-2016-4158).
Adobe has published Creative Cloud version 3.7.0.272 available from
https://www.adobe.com/creativecloud/desktop-app.html.
Adobe AIR
The last of the published security bulletins refers to Adobe AIR (APSB16-23), in which it announces a vulnerability (with CVE-2016-4116) in the directory path search used by the Adobe AIR installer. An attacker could exploit this issue to achieve arbitrary code execution.
Adobe AIR users are recommended to update to version 22.0.0.153 available from:
Adobe AIR SDK & Compiler:
http://www.adobe.com/devnet/air/air-sdk-download.html.
More information
Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb16-18.html
Security update available for the Adobe DNG Software Development Kit (SDK)
https://helpx.adobe.com/security/products/dng-sdk/apsb16-19.html.
Security update available for Adobe Brackets
https://helpx.adobe.com/security/products/brackets/apsb16-20.html
Security update available for the Creative Cloud Desktop Application
https://helpx.adobe.com/security/products/creative-cloud/apsb16-21.html .
Security Update: Hotfixes available for ColdFusion
https://helpx.adobe.com/security/products/coldfusion/apsb16-22.html .
Security update available for Adobe AIR
https://helpx.adobe.com/security/products/air/apsb16-23.html .
Security Advisory for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsa16-03.html .
Microsoft Security Bulletin MS16-083 - Critical
Security Update for Adobe Flash Player (3167685)