Adobe has issued fixes for critical flaws in Adobe Flash and ColdFusion that could lead to arbitrary code execution if exploited.
Overall, Adobe patched 11 vulnerabilities across Adobe Flash, Adobe ColdFusion and Adobe Campaign – including five critical flaws – during its regularly-scheduled Tuesday update. This month’s update addresses far fewer vulnerabilities than May’s regularly-scheduled updates, which fixed 87 vulnerabilities across Acrobat and Reader, Flash Player and Adobe Media Encoder.
The most severe of these exists in Adobe ColdFusion, Adobe’s commercial rapid web application development platform: “Adobe has released security updates for ColdFusion versions 2018, 2016 and 11,” according to Adobe’s release. ”These updates resolve three critical vulnerabilities that could lead to arbitrary code execution.”
These include a file extension blacklist bypass glitch (CVE-2019-7838); a command injection flaw (CVE-2019-7839); and a deserialization of untrusted data vulnerability (CVE-2019-7840).
The vulnerabilities exist in ColdFusion 2018 (update 3 and earlier versions), ColdFusion 2016 (update 10 and earlier versions) and ColdFusion 11 (update 18 and earlier versions).
All three patches have a priority 1 update rating. According to Adobe, priority 1 “resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.” Adobe recommends administrators install the update within 72 hours.
Also patched was a critical use-after-free vulnerability (CVE-2019-7845) in Adobe Flash that could enable arbitrary code execution. The vulnerability was reported anonymously by Trend Micro’s Zero Day Initiative (ZDI).
“This is a use-after-free vulnerability,” Dustin Childs with ZDI told Threatpost. “The specific flaw exists within the handling of LocalConnection objects. By performing actions in ActionScript, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code in the context of the current process.”
The vulnerability impacts versions 220.127.116.11 and earlier of Adobe Flash Player Desktop Runtime (for Windows, macOS and Linux), Adobe Flash Player for Google Chrome (for Windows, macOS, Linux and Chrome OS) and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (for Windows 10 and 8.1). Users of these versions are urged to update to version 18.104.22.168.
And finally, Adobe patched seven vulnerabilities in its Campaign technology, which automates the execution of mobile, social, email and offline campaigns.
That includes a critical command injection (CVE-2019-7850) enabled arbitrary code execution; three important vulnerabilities (CVE-2019-7849, CVE-2019-7847, CVE-2019-7843) and three moderate information disclosure flaws (CVE-2019-7941, CVE-2019-7846, CVE-2019-7848).
The flaws exists in Adobe Campaign Classic versions 19.1.1-9026 and earlier versions (on Windows and Linux).
Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.