Adobe Fixes Flash Flaws

Wednesday, September 13, 2017 @ 02:09 PM gHale


September was a quiet month for patching vulnerability at Adobe as the software player patched just two vulnerabilities in Flash Player this month.

Of course, that was the good news, the bad news is they vulnerabilities can end up exploited for remote code execution and both have been classified as critical.

RELATED STORIES
Adobe Fixes Flash Issues
Adobe to Drop Flash Player
Adobe Releases Updated Flash Player
Adobe Fixes Product Vulnerabilities

The flaw, CVE-2017-11281 and CVE-2017-11282, ended up discovered by Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero in Flash Player 26.0.0.151 and earlier. The vulnerabilities are the result of memory corruption issues.

Adobe said there was no evidence that either of the two flaws had been exploited in attacks before the patches released.

Adobe also released patches for a couple of vulnerabilities affecting the Windows version of its help authoring tool RoboHelp.

RoboHelp 2017.0.1 and earlier and 12.0.4.460 and earlier are affected by an important input validation flaw that can end up exploited for cross-site scripting (XSS) attacks, and a moderate-severity unvalidated URL redirect issue that can be leveraged for phishing attacks.

Reynold Regan of the CNSI – Center for Technology & Innovation in Chennai discovered the vulnerabilities.

Fixes also went out for ColdFusion 11 and 2016 to address a critical XML parsing vulnerability and an XSS flaw that can lead to information disclosure. The updates also include mitigations designed to prevent remote code execution via unsafe Java deserialization.



Leave a Reply

You must be logged in to post a comment.