Security Experts:

Critical Code Execution Flaw Patched in Flash Player

Adobe has patched several vulnerabilities in its Flash Player, Creative Cloud and Connect products, but the company believes it’s unlikely that the flaws will be exploited in the wild any time soon.

Only one vulnerability has been patched in Flash Player with the release of version 29.0.0.171 for Windows, Mac, Linux and Chrome OS. The issue, reported to Adobe by Jihui Lu of Tencent KeenLab, impacts Flash Player 29.0.0.140 and earlier versions.

The flaw is a critical type confusion that allows arbitrary code execution (CVE-2018-4944), but Adobe has assigned it a severity rating of “2,” which indicates that exploits are not considered imminent and there is no rush to install the update.

A total of three security holes have been patched by Adobe in the Creative Cloud desktop applications for Windows and macOS. Researchers discovered that version 4.4.1.298 and earlier of the apps are impacted by an improper input validation issue that can lead to privilege escalation, an improper certificate validation problem that can lead to a security bypass, and a flaw described as an “unquoted search path” that can be exploited for privilege escalation.

The certificate validation vulnerability has been classified “critical,” while the other two issues have been rated “important.” All of them have a priority rating of “2.”

Wei Wei of Tencent's Xuanwu Lab, Ryan Hileman of Talon Voice, Chi Chou, and Cyril Vallicari of HTTPCS – Ziwit have been credited for finding the flaws.

Finally, Adobe patched an “important” authentication bypass vulnerability affecting Connect versions 9.7.5 and earlier. Exploitation of the flaw can result in the exposure of sensitive information.

Related: Adobe Patches Vulnerabilities in Six Products

Related: Adobe Patches Flash Zero-Day Exploited by North Korean Hackers

Related: Adobe Patches Critical Code Execution Flaws in Dreamweaver, Flash

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.