Adobe has patched a total of 19 vulnerabilities across six of its products, including Flash Player, Experience Manager, InDesign CC, Digital Editions, ColdFusion and the PhoneGap Push plugin.
A total of six flaws rated critical and important have been fixed in Flash Player with the release of version 29.0.0.140, including use-after-free, out-of-bounds read, out-of-bounds write and heap overflow bugs that can lead to remote code execution and information disclosure.
Four of the vulnerabilities have been reported to Adobe by researchers at Google Project Zero. While some of the issues have been rated critical, Adobe says there is no evidence of malicious exploitation and the company does not believe exploits are imminent.
The number of vulnerabilities fixed in Flash Player has dropped significantly since Adobe announced its intention to kill the application in 2020. However, malicious actors have not given up trying to find security holes they can exploit. In February, Adobe issued an emergency update to address a zero-day used by North Korean hackers.
The April Patch Tuesday updates from Adobe also cover Experience Manager, in which the company patched three moderate and important cross-site scripting (XSS) flaws.
An update has also been released for Adobe InDesign CC to fix a critical memory corruption that allows arbitrary code execution via specially crafted .inx files, and an untrusted search path issue in the installer that can lead to privilege escalation.
The latest version of Adobe Digital Editions resolves an out-of-bounds read vulnerability and a stack overflow, both of which can result in disclosure of information.
ColdFusion version 11 and the 2016 release have also received security updates. A total of five flaws have been patched, including local privilege escalation, remote code execution and information disclosure issues.
Finally, the Adobe PhoneGap Push plugin has been updated to address a same-origin method execution bug that exposes apps built with the affected plugin to JavaScript code execution.
Related: Adobe Patches 39 Vulnerabilities in Acrobat and Reader
Related: Adobe Patches Critical Code Execution Flaws in Dreamweaver, Flash
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
Latest News
- What if the Current AI Hype Is a Dead End?
- Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
- Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
- Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards
- SBOMs – Software Supply Chain Security’s Future or Fantasy?
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
