Network Security, Patch/Configuration Management, Vulnerability Management

Adobe Patch Tuesday addressees Flash bypass and code execution flaws

Adobe's Patch Tuesday this month covered multiple serious vulnerabilities including both a critical and important patch affecting Flash.

The Flash player updates affected for Windows, Macintosh, Linux and Chrome OS and addressed a critical type confusion vulnerability that could lead to code execution, and an important security bypass vulnerability that could lead to information disclosure, according to an August 8 Security Bulletin.

The vulnerabilities affected products including Adobe Flash Player Desktop Runtime for versions 26.0.0.137 and earlier, Adobe Flash Player for Google Chrome version 26.0.0.137 and earlier, and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 versions 26.0.0.137 and earlier. Last month, Adobe announced it is scheduled to end Flash at the end of 2020.

The update also included patches for Adobe Experience Manager including two moderate vulnerabilities that could result in an information disclosure and one important vulnerability that could result in arbitrary code execution attacks.

Adobe also addressed several critical and important vulnerabilities in Adobe Acrobat and Reader, all of which could result in either a remote execution or information disclosure. The flaws stemmed from memory corruption, use after free bugs, heap overflow, security bypass, type confusion flaws and one insufficient verification of data authentication flaw.

In Adobe Digital Editions, the update patched two critical flaws and one important flaw which could result in remote code execution, information disclosure, and memory address disclosure, respectively.

The two critical flaws respectively stemmed from a buffer overflow and XML External Entity Parsing while the final flaw stemmed from memory corruption.

 Researchers recommend users patch their systems as soon as possible.There have been a number of critical patches this Patch Tuesday Chris Goettl, product manager with Ivanti told SC Media. 

“The Flash Player update is rated as Priority 1, the other three are rated as Priority 2.  The AcrobatReader update is a bit odd this month,” Goettl said.“ 69 total CVEs resolved, 43 of which are rated as Critical CVEs yet it is still rated as a Priority 2. Compare this to the Flash update with 2 CVEs, 1 of which was Critical and the math just does not add up”

Goettl added that patching the AcrobatReader update should be a top priority 

 

Related

Massive data leak conducted by HelloKitty ransomware amid rebrand

Ransomware operation HelloKitty has coincided its rebranding to HelloGookie with the publication of internal Cisco network data exfiltrated from a 2022 attack, exfiltrated source code for several CD Projekt Red games from a 2021 attack, and four private decryption keys for other intrusions that involved an older iteration of its ransomware encryptor, according to BleepingComputer.

New tool used in China-linked attacks against Asia-Pacific

Intrusions with the Waterbear backdoor and its updated variant dubbed "Deuterbear" have been deployed by China-linked threat operation BlackTech — also known as Earth Hundun, Manga Taurus, Circuit Panda, Temp.Overboard, Palmerwom, Red Djinn, and HUAPI — against government, research, and technology organizations across the Asia-Pacific, reports The Hacker News.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.