Adobe rolled out its monthly patch release today, and the news isn’t necessarily what was patched, but what wasn’t.
For the first time since January, Adobe did not release a security update for Flash Player. Given Flash’s legacy of being a target-rich environment for cybercriminals and advanced attackers, a month without Flash patches is quite the respite.
Since February, there have been monthly Flash Player updates, including emergency patches for zero-day vulnerabilities being publicly exploited in each of April, May and June.
Last month, Adobe patched 52 vulnerabilities in Flash—most of the flaws allowed for remote code execution—one of the biggest security updates of the year from Adobe.
Today’s update provides hotfixes for four flaws in Adobe Experience Manager, the company’s enterprise web content management system. The software allows for content creation and publication, in addition to the ability to customize certain site and design components and administration capabilities.
Adobe said versions 6.2, 6.1, 6.0 and 5.6.1 are affected on Windows, Unix, Linux and Mac OS X machines.
All of the vulnerabilities are rated “important” in severity; two are input validation flaws that can be used in cross-site scripting attacks (CVE-2016-4168 and CVE-2016-4170), while another bug (CVE-2016-4253) was disclosed in the software’s backup functionality that could lead to information disclosure. The final vulnerability (CVE-2016-4169) allows unprivileged users access to audit logs.
Adobe said that it is not aware of any public attacks against these vulnerabilities.