Adobe’s Patch Tuesday this month covered multiple serious vulnerabilities including both a critical and important patch affecting Flash.
The Flash player updates affected for Windows, Macintosh, Linux and Chrome OS and addressed a critical type confusion vulnerability that could lead to code execution, and an important security bypass vulnerability that could lead to information disclosure, according to an August 8 Security Bulletin.
The vulnerabilities affected products including Adobe Flash Player Desktop Runtime for versions 18.104.22.168 and earlier, Adobe Flash Player for Google Chrome version 22.214.171.124 and earlier, and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 versions 126.96.36.199 and earlier. Last month, Adobe announced it is scheduled to end Flash at the end of 2020.
The update also included patches for Adobe Experience Manager including two moderate vulnerabilities that could result in an information disclosure and one important vulnerability that could result in arbitrary code execution attacks.
Adobe also addressed several critical and important vulnerabilities in Adobe Acrobat and Reader, all of which could result in either a remote execution or information disclosure. The flaws stemmed from memory corruption, use after free bugs, heap overflow, security bypass, type confusion flaws and one insufficient verification of data authentication flaw.
In Adobe Digital Editions, the update patched two critical flaws and one important flaw which could result in remote code execution, information disclosure, and memory address disclosure, respectively.
The two critical flaws respectively stemmed from a buffer overflow and XML External Entity Parsing while the final flaw stemmed from memory corruption.
Researchers recommend users patch their systems as soon as possible.There have been a number of critical patches this Patch Tuesday Chris Goettl, product manager with Ivanti told SC Media.
“The Flash Player update is rated as Priority 1, the other three are rated as Priority 2. The AcrobatReader update is a bit odd this month,” Goettl said.“ 69 total CVEs resolved, 43 of which are rated as Critical CVEs yet it is still rated as a Priority 2. Compare this to the Flash update with 2 CVEs, 1 of which was Critical and the math just does not add up”
Goettl added that patching the AcrobatReader update should be a top priority