Adobe Releases Security Patches

Thursday, March 15, 2018 @ 04:03 PM gHale

Adobe released security updates fixing holes in its Dreamweaver, Flash Player and Connect lines.

Flash Player 29.0.0.113 for Windows, Mac, Linux and Chrome OS fixed two critical flaws hitting versions 28.0.0.161 and earlier.

RELATED STORIES
Adobe Patches Acrobat, Reader, Experience Manager
Microsoft Fixes 50 Vulnerabilities
Microsoft Updates Windows to Fix Flash
Flash Zero Day Under Attack

The vulnerabilities are a use-after-free (CVE-2018-4919) and a type confusion issue (CVE-2018-4920), both of which can be exploited for remote code execution.

While they have been classified as critical, Adobe gave them a priority rating of “2,” which indicates the company does not expect to see exploits soon.

The security holes were discovered by Yuki Chen of Qihoo 360 Vulcan Team, who reported them to Adobe via the Chromium Vulnerability Rewards Program.

In Dreamweaver CC, Adobe fixed a critical OS command injection vulnerability discovered by researcher Andrea Micalizzi, also known as “rgod.” The flaw is serious, but the product has never been targeted by hackers, at least to Adobe’s knowledge.

The flaw, CVE-2018-4924, affects versions 18.0 and earlier for Windows and it relates to the Dreamweaver URI handler. An attacker can exploit the weakness for arbitrary code execution in the context of the current user.

The latest version of Adobe Connect clears two important vulnerabilities: An OS command injection flaw that can lead to arbitrary file deletion, and an unrestricted SWF file upload bug that can be exploited for cross-site scripting (XSS) attacks.



Leave a Reply

You must be logged in to post a comment.