Security updates released by Adobe on Tuesday patch several vulnerabilities in the company’s Dreamweaver, Flash Player and Connect products.
Flash Player 18.104.22.168 for Windows, Mac, Linux and Chrome OS addresses two critical flaws affecting versions 22.214.171.124 and earlier.
The vulnerabilities have been described as a use-after-free bug (CVE-2018-4919) and a type confusion issue (CVE-2018-4920), both of which can be exploited for remote code execution. While they have been classified as critical, Adobe has assigned them a priority rating of “2,” which indicates that the company does not expect to see exploits any time soon.
The security holes were discovered by Yuki Chen of Qihoo 360 Vulcan Team, who reported them to Adobe via the Chromium Vulnerability Rewards Program.
In Dreamweaver CC, Adobe resolved a critical OS command injection vulnerability discovered by researcher Andrea Micalizzi, also known as “rgod.” The flaw is serious, but the product has never been targeted by hackers, at least to Adobe’s knowledge.
The flaw, CVE-2018-4924, affects versions 18.0 and earlier for Windows and it’s related to the Dreamweaver URI handler. An attacker can exploit the weakness for arbitrary code execution in the context of the current user.
The latest version of Adobe Connect patches two important vulnerabilities: an OS command injection flaw that can lead to arbitrary file deletion, and an unrestricted SWF file upload bug that can be exploited for cross-site scripting (XSS) attacks. Micalizzi and Ciaran McNally have been credited for finding the flaws.
Adobe was recently forced to release an out-of-band update for Flash Player after learning of a vulnerability that had been exploited in targeted attacks by a threat actor believed to be from North Korea.
Microsoft’s Patch Tuesday updates for this month fix over 70 vulnerabilities, including more than a dozen critical flaws affecting the Edge and Internet Explorer web browsers.