Adobe fixed four critical vulnerabilities in its Flash Player and InDesign products as part of its regularly scheduled April Security Bulletin Tuesday morning.
In all, Adobe released 19 patches for products including Adobe Experience Manager, Adobe InDesign CC, Adobe Digital Editions and the Adobe PhoneGap Push Plugin. According to Adobe, it “is not aware of any exploits in the wild for any of the issues addressed in these updates.” Additionally, specific details for each of the CVEs have not been made public yet.
The most serious of the bugs impact Adobe Flash Player 220.127.116.11 and earlier versions. “Successful exploitation could lead to arbitrary code execution in the context of the current user,” Adobe said.
Affected versions of Flash Player are Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome and Adobe Flash Player for Microsoft Edge and IE 11. CVEs include CVE-2018-4932, CVE-2018-4933, CVE-2018-4934, CVE-2018-4935, CVE-2018-4936 and CVE-2018-4937.
Three out of four of the vulnerabilities rated critical include a use-after-free vulnerability (CVE-2018-4932) that could result in a remote code execution attack, an out-of-bounds write flaw (CVE-2018-4935) that creates conditions ripe for unwanted information disclosure and another out-of-bounds write (CVE-2018-4937) bug that could create favorable conditions for remote code execution attacks.
Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero are credited for finding four of the Adobe Flash Player bugs – two of which were rated critical (CVE-2018-4935, CVE-2018-4937). Lin Wang of Beihang University is also credited for discovering one of the critical Flash Player bugs (CVE-2018-4932).
Adobe is urging users of Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux to update to Adobe Flash Player 18.104.22.168 via the products update mechanism or by visiting the Adobe Flash Player Download Center. It said Google Chrome, Edge and IE users will each be automatically updated to the latest versions.
The Adobe Flash Player for Microsoft Edge and Internet Explorer 11 will also be included later today in Microsoft’s April Patch Tuesday release.
Another bug rated critical was identified by Honggang Ren of Fortinet’s FortiGuard Labs who identified a memory corruption bug (CVE-2018-4928) in Adobe InDesign CC that could trigger an arbitrary code execution attack.
“This update resolves a critical memory corruption vulnerability (CVE-2018-4928) caused by unsafe parsing of a specially crafted .inx file,” Adobe wrote. It recommends “users update their software installations via the Creative Cloud desktop app updater, or by navigating to the InDesign Help menu and clicking ‘Updates.'”