Security News > 2018 > March > Adobe Patches Critical Code Execution Flaws in Dreamweaver, Flash
Security updates released by Adobe on Tuesday patch several vulnerabilities in the company’s Dreamweaver, Flash Player and Connect products. Flash Player 29.0.0.113 for Windows, Mac, Linux and Chrome OS addresses two critical flaws affecting versions 28.0.0.161 and earlier. The vulnerabilities have been described as a use-after-free bug (CVE-2018-4919) and a type confusion issue (CVE-2018-4920), both of which can be exploited for remote code execution. While they have been classified as critical, Adobe has assigned them a priority rating of “2,” which indicates that the company does not expect to see exploits any time soon. The security holes were discovered by Yuki Chen of Qihoo 360 Vulcan Team, who reported them to Adobe via the Chromium Vulnerability Rewards Program. In Dreamweaver CC, Adobe resolved a critical OS command injection vulnerability discovered by researcher Andrea Micalizzi, also known as “rgod.” The flaw is serious, but the product has never been targeted by hackers, at least to Adobe’s knowledge. The flaw, CVE-2018-4924, affects versions 18.0 and earlier for Windows and it’s related to the Dreamweaver URI handler. An attacker can exploit the weakness for arbitrary code execution in the context of the current user. The latest version of Adobe Connect patches two important vulnerabilities: an OS command injection flaw that can lead to arbitrary file deletion, and an unrestricted SWF file upload bug that can be exploited for cross-site scripting (XSS) attacks. Micalizzi and Ciaran McNally have been credited for finding the flaws. Adobe was recently forced to release an out-of-band update for Flash Player after learning of a vulnerability that had been exploited in targeted attacks by a threat actor believed to be from North Korea. Microsoft’s Patch Tuesday updates for this month fix over 70 vulnerabilities, including more than a dozen critical flaws affecting the Edge and Internet Explorer web browsers. Related: Adobe Patches 'Business Logic Error' in Flash Player Related: Adobe Patch Tuesday Updates Fix Only One Flash Player Flaw Related: Adobe Patches 39 Vulnerabilities in Acrobat and Reader (function() { var po = document.createElement("script"); po.type = "text/javascript"; po.async = true; po.src = "https://apis.google.com/js/plusone.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(po, s); })(); Tweet Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.Previous Columns by Eduard Kovacs:Adobe Patches Critical Code Execution Flaws in Dreamweaver, FlashMicrosoft Patches Over Dozen Critical Browser FlawsFacebook Flaws Exposed Friend Lists, Payment Card DataStealthy Data Exfiltration Possible via Headphones, SpeakersRemotely Exploitable Flaws Found in SmartCam Cameras 2018 ICS Cyber Security Conference | USA [Oct. 22-25] Register for the 2018 CISO Forum at Half Moon Bay 2018 ICS Cyber Security Conference | Singapore [April. 24-26] sponsored links Tags: NEWS & INDUSTRY Vulnerabilities
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2018-05-19 | CVE-2018-4919 | Use After Free vulnerability in Adobe Flash Player and Flash Player Desktop Runtime Adobe Flash Player versions 28.0.0.161 and earlier have an exploitable use after free vulnerability. | 8.8 |
2018-05-19 | CVE-2018-4920 | Type Confusion vulnerability in Adobe Flash Player and Flash Player Desktop Runtime Adobe Flash Player versions 28.0.0.161 and earlier have an exploitable type confusion vulnerability. | 8.8 |
2018-05-19 | CVE-2018-4924 | OS Command Injection vulnerability in Adobe Dreamweaver Adobe Dreamweaver CC versions 18.0 and earlier have an OS Command Injection vulnerability. | 9.8 |