Adobe patches critical vulnerabilities in Flash, Dreamweaver

cyber

Adobe has patched a set of critical vulnerabilities which can lead to remote code execution, information leaks, and file deletion.

On Tuesday, the tech giant’s security advisory noted that the vulnerabilities impact Adobe Flash Player, Adobe Connect, and Adobe Dreamweaver CC.

Two vulnerabilities which relate to Flash, a use-after-free flaw (CVE-2018-4919) and type confusion bug (CVE-2018-4920), are critical vulnerabilities which impact Adobe Flash Player 28.0.0.161 and earlier on the Windows, Macintosh, Linux and Chrome OS platforms.

Adobe says that successful exploitation may lead to arbitrary code execution in the context of current users.

“This patch remediates two critical vulnerabilities and should be prioritized for workstation-type devices,” said Jimmy Graham, Qualys Director of Product Management. “There are currently no active attacks against these vulnerabilities.”

Adobe also addressed two vulnerabilities in Adobe Connect. The first security flaw, CVE-2018-4923, is an OS Command Injection bug which can lead to arbitrary file deletion. The second vulnerability, CVE-2018-4921, is an error which causes unrestricted SWF file uploads and may lead to information disclosure.

The final bug, CVE-2018-4924, is a critical OS Command Injection flaw in Adobe Dreamweaver CC. If successfully exploited, attackers can execute arbitrary code.

Adobe thanked Yuki Chen of Qihoo 360 Vulcan Team working alongside the Chromium Vulnerability Rewards Program and independent researchers Rgod and Ciaran McNally for reporting the issues.

The company recommends that users update their software versions immediately to stay protected

To read the original article:

http://www.zdnet.com/article/adobe-patches-critical-vulnerabilities-in-flash-dreamweaver/

Laisser un commentaire

Next Post

A Bunch of Intel Microcode Patches Have Arrived on the Microsoft Update Catalog

Earlier this month, Microsoft announced it would be bundling Intel microcode (BIOS) updates meant to fix the graver version of the Spectre vulnerability as Windows Update packages made available via the Microsoft Update Catalog portal. Yesterday, Microsoft greatly expanded the number of such packages, extending support from the initial Skylake 6th […]