Adobe fixed eight vulnerabilities, seven critical, in Flash Player and its Adobe Experience Manager (AEM) Forms product as part of a regularly scheduled update Tuesday morning.
All seven of the Flash Player bugs can lead to code execution and should be considered critical, according to a security bulletin released by Adobe Tuesday.
Jihui Lu, a researcher with Tencent KeenLab, found six of the bugs, including a use-after-free vulnerability that could directly lead to code execution. Two researchers with Google’s Project Zero research team, Mateusz Jurczyk and Natalie Silvanovich, found a memory corruption vulnerability.
Until updated, Adobe is cautioning of vulnerabilities in Flash Player for Windows and Linux (versions 25.0.0.148 and earlier) and versions of Flash Player for Macintosh (versions 25.0.0.163 and earlier).
The updates bring Flash Player, across all platforms – Desktop Runtime, Chrome, Edge, Internet Explorer 11, and Linux – to version 25.0.0.171.
Adobe also patched an issue in Adobe Experience Manager (AEM) Forms on Tuesday. The product, which helps customers improve document processes, such as form filing, tracking, and responses, suffered from an information disclosure vulnerability.
According to Adobe, a pre-population service in the platform was being abused. The company fixed the issue by giving administrators additional controls in the service’s configuration manager to restrict file paths and protocols used to pre-fill forms.
Unlike the Flash Player vulnerabilities, the Adobe Experience Manager bug wasn’t found by a researcher. Instead Ruben Reusser, CTO at Headwire.com, a service that helps companies implement AEM, discovered it and reported it to Adobe.
The update brings AEM 6.2 to 6.2 SP1 CFP3 and 6.1 to 6.1 SP2 CFP8. Version 6.0 of AEM also received a HotFix to version 2.0.5.8.
Only eight patches makes for a relatively tame Patch Tuesday for Adobe, compared to last month which saw the company patch 59 vulnerabilities across five different products. Forty-four of those vulnerabilities – in Flash Player, Acrobat/Reader, Photoshop, Adobe Campaign, and its Adobe Creative Cloud App – were code execution bugs.