The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Adobe Updates Fix Critical Vulnerabilities in ColdFusion, Campaign, and Flash Player

by Chris Brook on Tuesday June 11, 2019

Contact Us
Free Demo
Chat

Adobe is urging users to patch 10 vulnerabilities, five of them critical, in three different products this week.

As it customarily does on the second Tuesday of each month, Adobe urged users to patch several vulnerabilities – 10 total, some of them critical - in its software line this week.

The company pushed updates on Tuesday morning for ColdFusion - its rapid development platform for building modern web applications, Campaign - its marketing campaign platform, and – of course – its ubiquitous, near-death Flash Player.

Each of the updates address at least one critical vulnerability.

The ColdFusion update resolves three vulnerabilities, including a file extension blacklist bypass that can be exploited if the file uploads directory is web accessible, a command injection vulnerability, and a deserialization of untrusted data vulnerability, that could all lead to arbitrary code execution. The updates affect ColdFusion 2018, ColdFusion 2016, and ColdFusion 11, released in 2014.

The Campaign update actually addresses seven vulnerabilities but only one of them is branded critical, a command injection vulnerability - CVE-2019-7850, as it can lead to arbitrary code execution. The rest of the fixes resolve a mix of moderate to important issues like improper error handling, inadequate access control, and an information disclosure issue stemming from insufficient input validation.

The Campaign update affects Campaign Classic versions 18.10.5-8984 and earlier; it brings the software to versions 19.1.1-9026 on Windows and Linux.

Lastly, the Flash Player update addresses just one issue but it’s a critical use after free vulnerability that, like the others patched on Tuesday, could lead to arbitrary code execution if exploited. Little is known about the vulnerability (CVE-2019-7845) outside of the fact that it was anonymously reported via Trend Micro’s Zero Day Initiative.

The vulnerability impacts versions 32.0.0.192 and earlier of Adobe Flash Player Desktop Runtime (for Windows, macOS and Linux), Adobe Flash Player for Google Chrome (for Windows, macOS, Linux and Chrome OS) and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (for Windows 10 and 8.1). Users are being urged to update to version 32.0.0.27 to mitigate the vulnerability.

The updates are likely a welcome reprieve for admins following last months' massive update that saw Adobe fix 87 vulnerabilities across three families of programs including Acrobat and Reader, Flash Player, and Media Encoder.

Per usual, Microsoft also pushed updates on Tuesday, fixing 88 vulnerabilities across a dozen plus products, including Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Skype for Business and Microsoft Lync, Exchange Server, Azure, and SQL Server.

Tags: Vulnerabilities

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.