The Most Comprehensive Data Protection Solution
Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.
First and Only Solution to Converge:
- Data Loss Prevention
- Endpoint Detection and Response
- User and Entity Behavior Analytics
Adobe is urging users to patch 10 vulnerabilities, five of them critical, in three different products this week.
As it customarily does on the second Tuesday of each month, Adobe urged users to patch several vulnerabilities – 10 total, some of them critical - in its software line this week.
The company pushed updates on Tuesday morning for ColdFusion - its rapid development platform for building modern web applications, Campaign - its marketing campaign platform, and – of course – its ubiquitous, near-death Flash Player.
Each of the updates address at least one critical vulnerability.
The ColdFusion update resolves three vulnerabilities, including a file extension blacklist bypass that can be exploited if the file uploads directory is web accessible, a command injection vulnerability, and a deserialization of untrusted data vulnerability, that could all lead to arbitrary code execution. The updates affect ColdFusion 2018, ColdFusion 2016, and ColdFusion 11, released in 2014.
The Campaign update actually addresses seven vulnerabilities but only one of them is branded critical, a command injection vulnerability - CVE-2019-7850, as it can lead to arbitrary code execution. The rest of the fixes resolve a mix of moderate to important issues like improper error handling, inadequate access control, and an information disclosure issue stemming from insufficient input validation.
The Campaign update affects Campaign Classic versions 18.10.5-8984 and earlier; it brings the software to versions 19.1.1-9026 on Windows and Linux.
Lastly, the Flash Player update addresses just one issue but it’s a critical use after free vulnerability that, like the others patched on Tuesday, could lead to arbitrary code execution if exploited. Little is known about the vulnerability (CVE-2019-7845) outside of the fact that it was anonymously reported via Trend Micro’s Zero Day Initiative.
The vulnerability impacts versions 184.108.40.206 and earlier of Adobe Flash Player Desktop Runtime (for Windows, macOS and Linux), Adobe Flash Player for Google Chrome (for Windows, macOS, Linux and Chrome OS) and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (for Windows 10 and 8.1). Users are being urged to update to version 220.127.116.11 to mitigate the vulnerability.
The updates are likely a welcome reprieve for admins following last months' massive update that saw Adobe fix 87 vulnerabilities across three families of programs including Acrobat and Reader, Flash Player, and Media Encoder.
Per usual, Microsoft also pushed updates on Tuesday, fixing 88 vulnerabilities across a dozen plus products, including Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Skype for Business and Microsoft Lync, Exchange Server, Azure, and SQL Server.