What? You thought we just celebrated Patch Tuesday a few days ago? For several years now, Adobe has been releasing patches for many of its most popular products on the second Tuesday of each month – the same day Microsoft releases their security updates. That makes it easier (at least in theory) for IT admins to apply them all on the same day, rather than having to do a patch here and another there.
What you might not have realized, though, is that “officially” the second-Tuesday schedule only applies to Adobe Reader, Acrobat and Flash. That’s not to say Adobe never releases fixes for other products on Patch Tuesday, but for products such as Shockwave Player and Photoshop, you never can tell. Of course, just like Microsoft, Adobe sometimes finds it necessary to release an “out of band” patch on an emergency basis when a zero day vulnerability poses a serious risk to its users.
That’s why we found ourselves with a new security update for Shockwave Player just two days after this month’s regular release of two Flash patches (which we’ll cover in our regular end-of-the-month third party patch roundup article). The memory corruption vulnerability that it addresses could be used by attackers to remotely execute code and take over the system. All the user would have to do is visit a web site that’s hosting a malicious Shockwave file, and both Windows and Mac OS X computers are vulnerable. Fewer systems have Shockwave installed than have Adobe Flash (around 450 million vs. more than a billion, according to Adobe’s statistics), but it’s still a significant installed base so quite a few systems are affected by this.
The vulnerability, labeled CVE-2014-0505, is rated as Priority 2 (critical) by Adobe. It was reported privately by FortiGuard Labs and as far as we know, is not yet being exploited. Versions 220.127.116.11 and earlier are vulnerable; all systems that have the Shockwave plug-in installed should be immediately updated to v18.104.22.168.
For more information, see the official Adobe security advisory APSB14-10.