The Most Comprehensive Data Protection Solution
Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.
First and Only Solution to Converge:
- Data Loss Prevention
- Endpoint Detection and Response
- User and Entity Behavior Analytics
Adobe patched five vulnerabilities in Flash Player, Connect, and Dreamweaver CC – three critical – this week as part of its regularly scheduled Patch Tuesday updates.
While the total number of fixes is far below average, especially compared to last month's 55 patches, the update remedies bugs that could be used to carry out remote code execution, the deletion of files, or information leakage.
Two of the critical vulnerabilities, perhaps unsurprisingly, were in Flash Player, Adobe’s ever-ubiquitous punching bag for hackers. Yuki Chen, a researcher on Qihoo’s 360 Vulcan Team, discovered the bugs, a use after free (CVE-2018-4919) and type confusion (CVE-2018-4920) vulnerability. If exploited both could lead to remote code execution in the context of the current user.
Windows, Macintosh, Linux, and Chrome OS users that still use Flash should update to the latest version, 184.108.40.206, to mitigate the vulnerabilities. Users still running 220.127.116.11 are still vulnerable however.
The other critical issue exists in Dreamweaver CC, Adobe’s popular website and web application development tool. According to Adobe, in version 18.0 and earlier of the software, an attacker could exploit a critical OS command injection vulnerability in the Dreamweaver URI handler on Windows. Similar to the Flash vulnerabilities, the attack could net a bad actor arbitrary code execution.
Hard to believe but according to Adobe's Security Bulletins and Advisories portal it's the first vulnerability to surface in Dreamweaver in more than 10 years. The last issues to affect the platform, two potential cross-site scripting vulnerabilities, were fixed back in January 2008.
The remaining two issues exist in Adobe Connect, the company’s web conferencing software. One bug, an unrestricted SWF file upload vulnerability (CVE-2018-4921) could be used to carry out a cross-site scripting attack. The other, another OS command injection vulnerability (CVE-2018-4923) could let an attacker perform an unintended arbitrary local file removal or forcibly uninstall the application. The bugs are rated important when it comes to severity and Adobe is encouraging users to update to version 9.7 of the software across all platforms to fix them.
Absent from this month’s update was an update for Adobe Reader, a popular target this week and every year at Pwn2Own, an annual hacking competition held in Vancouver alongside CanSecWest.
Last year two teams managed to take down Adobe Reader and combined other Windows kernel flaws into their attacks to achieve system-level privilege escalation. One won $50,000, another won $25,000. The maximum prize for taking down Reader this year is $90,000.