Adobe has fixed several critical vulnerabilities – including a critical code execution bug in Adobe Flash Player – as part of its regularly scheduled May Security Bulletin, on Tuesday.
In all, Adobe released patches for five critical and important vulnerabilities spanning Creative Cloud, Adobe Flash Player and web conferencing software tool Adobe Connect. For all of these bugs, Adobe said that so far, no exploits have been seen in the wild.
Critical Flash Flaw
In versions of Flash Player, Adobe patched a critical vulnerability (CVE-2018-4944, discovered by Jihui Lu of Tencent KeenLab) that could enable arbitrary code execution “in the context of the current user.”
The vulnerability exists in several Adobe versions, including Flash Player Desktop Runtime (for Windows, Mac and Linux), Flash Player for Google Chrome (for Windows Max, Linux and ChromeOS), and Flash Player for Microsoft Edge and Internet Explorer 11 (for Windows 10 and Windows 8.1). All impacted products are versions 184.108.40.206 and earlier, said Adobe.
Adobe is urging impacted users to update to version 220.127.116.11 – with separate upgrades for Adobe Flash Player Desktop Runtime for Windows and Mac; Flash Player Desktop Runtime for Linux, Flash Player for Google Chrome and Flash Player for Microsoft Edge and Internet Explorer 11.
Creative Cloud Issues
Adobe also patched critical vulnerabilities in its Creative Cloud Desktop Application for Windows and MacOS.
That includes a vulnerability in the validation of certificates used by Creative Cloud desktop applications (CVE-2018-4991, discovered by Ryan Hileman of Talon Voice & Chi Chou). Creative Cloud 18.104.22.1688 and earlier versions are impacted.
Creative Cloud also has an important vulnerability (CVE-2018-4873) that enables privilege escalation. The bug, reported by Cyril Vallicari, was previously resolved in version 22.214.171.1246 of the Creative Cloud Desktop application.
And finally, the Creative Cloud Application contains an important improper input validation vulnerability (CVE-2018-4992) that could also lead to privilege escalation. This bug was discovered by Wei Wei of Tencent’s Xuanwu Lab.
Adobe is urging users to update to Creative Cloud Desktop Application version 126.96.36.1991 for Windows and MacOS to fix the flaws.
Adobe Connect Impacted
Finally, Adobe said an important authentication bypass vulnerability (CVE-2018-4994) exists in Adobe Connect; successful exploitation could result in sensitive information disclosure.
The impacted Adobe Connect versions include 9.7.5 and earlier. A mitigation is available to customers by modifying Tomcat filters to control remote access to system configuration files, said Adobe.