Network Security, Patch/Configuration Management, Vulnerability Management

Adobe Patch Tuesday addressees Flash bypass and code execution flaws

Adobe's Patch Tuesday this month covered multiple serious vulnerabilities including both a critical and important patch affecting Flash.

The Flash player updates affected for Windows, Macintosh, Linux and Chrome OS and addressed a critical type confusion vulnerability that could lead to code execution, and an important security bypass vulnerability that could lead to information disclosure, according to an August 8 Security Bulletin.

The vulnerabilities affected products including Adobe Flash Player Desktop Runtime for versions and earlier, Adobe Flash Player for Google Chrome version and earlier, and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 versions and earlier. Last month, Adobe announced it is scheduled to end Flash at the end of 2020.

The update also included patches for Adobe Experience Manager including two moderate vulnerabilities that could result in an information disclosure and one important vulnerability that could result in arbitrary code execution attacks.

Adobe also addressed several critical and important vulnerabilities in Adobe Acrobat and Reader, all of which could result in either a remote execution or information disclosure. The flaws stemmed from memory corruption, use after free bugs, heap overflow, security bypass, type confusion flaws and one insufficient verification of data authentication flaw.

In Adobe Digital Editions, the update patched two critical flaws and one important flaw which could result in remote code execution, information disclosure, and memory address disclosure, respectively.

The two critical flaws respectively stemmed from a buffer overflow and XML External Entity Parsing while the final flaw stemmed from memory corruption.

 Researchers recommend users patch their systems as soon as possible.There have been a number of critical patches this Patch Tuesday Chris Goettl, product manager with Ivanti told SC Media. 

“The Flash Player update is rated as Priority 1, the other three are rated as Priority 2.  The AcrobatReader update is a bit odd this month,” Goettl said.“ 69 total CVEs resolved, 43 of which are rated as Critical CVEs yet it is still rated as a Priority 2. Compare this to the Flash update with 2 CVEs, 1 of which was Critical and the math just does not add up”

Goettl added that patching the AcrobatReader update should be a top priority 


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.