Adobe Patches Multiple Vulnerabilities
Monday, February 15, 2016 @ 10:02 AM gHale
Adobe released security updates and hotfixes last week to address vulnerabilities in Flash Player, Photoshop, Bridge, Connect, and Experience Manager.
Adobe Flash Player 18.104.22.1686 patches 22 memory corruption flaws that can end up leveraged for arbitrary code execution. The issues were reported to Adobe by researchers at Google, Microsoft, NSFOCUS, Venustech, Qihoo360, and an anonymous researcher.
Updates released by Adobe for Photoshop CC and Bridge CC resolve three memory corruption vulnerabilities an attacker could use for code execution. The flaws ended up discovered by Francis Provencher of COSIG.
For the Windows version of its Connect web conferencing software, Adobe released updates to address a content spoofing issue, and an insufficient input validation flaw affecting a URL parameter. The update also includes protection against cross-site request forgery (CSRF) attacks. Eugene Dokukin, Francisco Correa and Lawrence Amer discovered the issues.
Hotfixes released by the company for versions 6.1.0, 6.0.0 and 5.6.1 of the enterprise content management solution Adobe Experience Manager patch four vulnerabilities affecting the Windows, Unix, Linux and OS X versions of the product.
The list of security bugs includes a Java deserialization issue, a cross-site scripting (XSS) vulnerability that could lead to information disclosure, a URL filter bypass, and an information disclosure bug in Apache Sling Servlets Post 2.3.6.
Damian Pfammatter of Compass Security Schweiz AG and Ateeq ur Rehman Khan of Vulnerability Lab found the Experience Manager vulnerabilities.
Adobe said it is not aware of any ongoing attacks against the vulnerabilities.