Macromedia Inc. on Wednesday released a batch of security patches to cover a trio of flaws affecting some of its enterprise-facing server products.
The San Francisco, Calif.-based software and platform provider said the vulnerabilities could put users at risk of denial-of-service and information disclosure attacks.
Two of the flaws are rated “moderately critical” by security alerts aggregator Secunia Inc.
Affected products include the Macromedia Flash Media Server, the Macromedia Breeze Communication Server/Live Server and the Macromedia Contribute Publishing Server.
The Macromedia Flash Media Server bug affects versions 1.0 through 1.5. The company explained that the server does not sufficiently validate some RTMP data, a bug that can cause server instability or crashes.
Patches have been included in the Macromedia advisory.
A second alert was released to warn about a denial-of-service hole in the Macromedia Breeze Communication Server/Live Server, which is part of the companys Web conferencing and communications software suite.
That flaw, also rated “moderately critical,” affects Macromedia Breeze 4.x through 5.x.
Macromedia said the vulnerability is caused due to an error in validating RTMP data. This may be exploited to cause the server to become unstable or crash via specially crafted RTMP data sent from a Flash Player.
The third vulnerability, in the Macromedia Contribute Publishing Server, can allow malicious hackers to hijack sensitive information.
Macromedia said the issue is caused due to a weak encryption algorithm being used to encrypt user password in connection keys that use shared FTP login credentials.
The flaw affects versions prior to 1.11.
The trifecta of patches come on the heels of a critical Flash Player update that could be exploited to hijack millions of computers.
The flaw was flagged in Macromedia Flash Player 7.0.19.0 and earlier versions.
According to eEye Digital Security, the private research firm that reported the issue to Macromedia, the vulnerability opens the door for a malicious hacker to run arbitrary code in the context of the logged-in user.