Adobe Fixes Critical Security Flaws in Flash, ColdFusion, Campaign

Adobe Fixes Critical Security Flaws in Flash, ColdFusion, Campaign

Adobe’s monthly patch update is now available and fixes a handful of vulnerabilities in Flash, ColdFusion, and Campaign Classic.

The June round of fixes released by the tech giant focuses on patching problems which could lead to arbitrary code execution in the software.

In Adobe Flash, a single vulnerability has been resolved for software versions 32.0.0.192 and earlier on Windows, macOS, Linux, and Chrome OS.

The bug, CVE-2019-7845, is a use-after-free security flaw which can lead to code execution if exploited.

Three vulnerabilities – CVE-2019-7838, CVE-2019-7839, and CVE-2019-7840 have been patched in Adobe ColdFusion 11, 2016, and 2018. The file extension blacklist bypass, command injection, and deserialization of untrusted data error could all lead to arbitrary code execution if left unresolved.

Critical Security Flaws

In addition, seven vulnerabilities have been smoothed over in Adobe Campaign Classic, software which is not a common participant in Adobe’s patch updates. Versions 18.10.5-8984 and earlier on Windows and Linux machines are affected.

The single critical issue in the batch, CVE-2019-7850, is a command injection bug which can lead to arbitrary code execution.

Five other vulnerabilities, CVE-2019-7843, CVE-2019-7941, CVE-2019-7846, CVE-2019-7848, and CVE-2019-7849 can all be exploited for the purposes of information disclosure, and CVE-2019-7847 provides read access to the file system.

Users should accept automatic updates to mitigate the risk of exploit.

Adobe thanked researchers from Trend Micro’s Zero Day Initiative, 404 Team, Booz Allen Hamilton and Aon’s Cyber Solutions for submitting the bug reports.

The latest round of patches builds upon Adobe’s previous set of security fixes, released in May. The former update resolved 84 vulnerabilities — all of which were deemed either important or critical – in Flash, Acrobat, and Reader.

This week, Microsoft also released the firm’s customary round of monthly security updates. In total, 88 bugs were patched and of particular note is the resolution of four out of five zero-day vulnerabilities published in May by an exploit seller known as SandboxEscaper.

Source: ZDNet
 
 

    Popular posts

    Related posts