Adobe Patches Two Critical RCE Vulnerabilities in Flash Player

adobe-security-patch

Adobe may kill Flash Player by the end of 2020, but until then, the company would not stop providing security updates to the buggy software.

As part of its monthly security updates, Adobe has released patches for eight security vulnerabilities in its three products, including two vulnerabilities in Flash Player, four in ColdFusion, and two in RoboHelp—five of these are rated as critical.

Both of the Adobe Flash Player vulnerabilities can be exploited for remote code execution on the affected device, and both have been classified as critical.

None of the patched vulnerabilities has reportedly been exploited in the wild, according to the company.

The critical Flash Player flaws are tracked as CVE-2017-11281 and CVE-2017-11282 and were discovered by Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero, respectively.

Both the security vulnerabilities are memory corruption issues that could lead to remote code execution and affect all major operating system, including Windows, Macintosh, Linux and Chrome OS.

The vulnerabilities have been updated in the latest Flash Player version 27.0.0.130.

The remaining three critical and one important flaw reside in Cold Fusion, including a critical XML parsing flaw (CVE-2017-11286), an important XSS (cross-site scripting) bug (CVE-2017-11285) that could lead to information disclosure and mitigation for unsafe Java deserialization, resulting in remote code execution (CVE-2017-11283, CVE-2017-11284).

These vulnerabilities affect all platforms and have been discovered and reported by Nick Bloor of NCC Group, Daniel Sayk of Telekom Security and Daniel Lawson of Depth Security.

The issues have been patched in the latest Adobe ColdFusion version 2016 Release Update 5 and version 11 Update 13.

The rest of the two flaws—one important (CVE-2017-3104) and one rated moderate (CVE-2017-3105)—affects Windows version of Adobe’s help authoring tool RoboHelp.

The important bug is an input validation flaw that could allow for a DOM-based cross-site scripting (XSS) attack, while the moderate-severity invalidated URL redirect vulnerability could be used in phishing campaigns to deliver malware.

The vulnerabilities have been patched in the latest Adobe RoboHelp version RH2017.0.2 and RH12.0.4.460 (Hotfix).

Although no exploits for these patched vulnerabilities have been spotted in the wild by the company, users are strongly advised to patch their software as soon as possible to protect themselves from any remote attack.

This article originally appeared on THN

Leave a Reply

Your email address will not be published. Required fields are marked *