Adobe issued a light load of Patch Tuesday security updates today releasing only eight, with five rated critical with two of these affecting Flash Player.
The two critical Flash Player issues would allow for remote code execution if exploited, Adobe reported. The memory corruption issues, CVE-2017-11281 and CVE-2017-11282, affect Windows, Macintosh, Linux and Chrome OS and were picked up by Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero.
The company has not spotted these vulnerabilities being exploited in the wild.
The remaining three critical patches, CVE-2017-11286, CVE-2017-11283 and CVE-2017-11284, were in Cold Fusion. The first is a parsing vulnerability could allow information disclosure, while the latter two mitigate unsafe Java deserialization that could result in remote code execution.
Cold Fusion also had one patch, CVE-2017-11285, rated important that also could lead to information disclosure. No exploits for these problems have been seen in the wild.
Nick Bloor of NCC Group, Daniel Sayk of Telekom Security and Daniel Lawson of Depth Security were credited with disclosing these issues.
Adobe RoboHelp closes out the September updates with one important update, CVE-2017-3104, and CVE-2017-3105 which is rated moderate. If left unpatched the first would allow for a DOM-based cross-site scripting attack with the second potentially allowing an open redirect attack.
Reynold Regan of CNSI – Center for Technology & Innovation, Chennai found and reported both issues.
Adobe is not aware of any exploits in the wild associated with these vulnerabilities.