Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Patches Critical Code Execution Flaws in Dreamweaver, Flash

Security updates released by Adobe on Tuesday patch several vulnerabilities in the company’s Dreamweaver, Flash Player and Connect products.

Security updates released by Adobe on Tuesday patch several vulnerabilities in the company’s Dreamweaver, Flash Player and Connect products.

Flash Player 29.0.0.113 for Windows, Mac, Linux and Chrome OS addresses two critical flaws affecting versions 28.0.0.161 and earlier.

The vulnerabilities have been described as a use-after-free bug (CVE-2018-4919) and a type confusion issue (CVE-2018-4920), both of which can be exploited for remote code execution. While they have been classified as critical, Adobe has assigned them a priority rating of “2,” which indicates that the company does not expect to see exploits any time soon.

The security holes were discovered by Yuki Chen of Qihoo 360 Vulcan Team, who reported them to Adobe via the Chromium Vulnerability Rewards Program.

In Dreamweaver CC, Adobe resolved a critical OS command injection vulnerability discovered by researcher Andrea Micalizzi, also known as “rgod.” The flaw is serious, but the product has never been targeted by hackers, at least to Adobe’s knowledge.

The flaw, CVE-2018-4924, affects versions 18.0 and earlier for Windows and it’s related to the Dreamweaver URI handler. An attacker can exploit the weakness for arbitrary code execution in the context of the current user.

The latest version of Adobe Connect patches two important vulnerabilities: an OS command injection flaw that can lead to arbitrary file deletion, and an unrestricted SWF file upload bug that can be exploited for cross-site scripting (XSS) attacks. Micalizzi and Ciaran McNally have been credited for finding the flaws.

Adobe was recently forced to release an out-of-band update for Flash Player after learning of a vulnerability that had been exploited in targeted attacks by a threat actor believed to be from North Korea.

Advertisement. Scroll to continue reading.

Microsoft’s Patch Tuesday updates for this month fix over 70 vulnerabilities, including more than a dozen critical flaws affecting the Edge and Internet Explorer web browsers.

Related: Adobe Patches ‘Business Logic Error’ in Flash Player

Related: Adobe Patch Tuesday Updates Fix Only One Flash Player Flaw

Related: Adobe Patches 39 Vulnerabilities in Acrobat and Reader

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.