Adobe fixed six vulnerabilities in two products, one of the company’s smallest security bulletins in recent memory, as part of its regularly scheduled round of updates on Tuesday.
Included are fixes for the company’s Flash Player software platform, including a critical vulnerability (CVE-2017-3099) that could let an attacker execute code remotely. The update, which brings Flash to version 220.127.116.11 across most builds, also addresses an information disclosure bug and a memory address disclosure bug.
Other than the fact the remote code execution bug was found by Jihui Lu working with Tencent KeenLab and the memory address disclosure bug was found by bo13oy working with Trend Micro’s Zero Day Initiative, details were scant on the vulnerabilities.
The company also fixed three vulnerabilities in Adobe Connect for Windows. Connect, a piece of software used to create presentations and learning modules, is completely built on Flash. Adobe warned Tuesday that two of the bugs, input validation vulnerabilities, could be used in reflected and stored cross-site scripting attacks. It said the third bug (CVE-2017- 3101) could lead to a UI redress or clickjacking attack if exploited.
Details of CVE-2017-3101 weren’t made public, but according to Mitre, which classifies the bug as a user interface misrepresentation of critical information vulnerability, it could be used to obscure or spoof information and carry out phishing attacks.
Adobe is warning anyone running version 9.6.1 and earlier is vulnerable. The update brings Adobe Connect for Windows to version 9.6.2.
The company said Tuesday that it’s unaware if exploits exist for the fixed vulnerabilities. Adobe added, it’s aware that some details of CVE-2017-3080 were publicly published on July 3, 2017.
The six patches make July’s update the company’s smallest of 2017 so far, besting May when Adobe fixed eight vulnerabilities in Flash and Adobe Experience Manager.