Security Experts:

Adobe Patches Two Critical Flaws in Flash Player

Adobe has patched only two vulnerabilities in Flash Player this month, but they can both be exploited for remote code execution and both have been classified as critical.

The flaws, tracked as CVE-2017-11281 and CVE-2017-11282, were discovered by Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero in Flash Player and earlier. The security holes are caused by memory corruption issues.

Adobe said there was no evidence that either of the two flaws had been exploited in attacks before the patches were released. Adobe and several tech giants have decided to kill Flash Player by the end of 2020.

The company has also released patches for a couple of vulnerabilities affecting the Windows version of its help authoring tool RoboHelp. RoboHelp 2017.0.1 and earlier and and earlier are affected by an important input validation flaw that can be exploited for cross-site scripting (XSS) attacks, and a moderate-severity unvalidated URL redirect issue that can be leveraged for phishing attacks.

Reynold Regan of the CNSI - Center for Technology & Innovation in Chennai has been credited for reporting the weaknesses to Adobe.

Security updates have also been released for ColdFusion 11 and 2016 to address a critical XML parsing vulnerability and an XSS flaw that can lead to information disclosure. The updates also include mitigations designed to prevent remote code execution via unsafe Java deserialization.

Nick Bloor of NCC Group, Daniel Sayk of Telekom Security, and Daniel Lawson of Depth Security have reported these flaws to Adobe.

Related: Adobe Patches 69 Flaws in Reader, Acrobat

Related: Adobe Fixes Vulnerabilities in Flash Player, Connect

Related: Firefox Makes Adobe Flash Click-to-Activate by Default

Related: Adobe Patches Flaws in Creative Cloud, RoboHelp

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.