This week, Adobe has released its September Patch Tuesday update pack. This comes right after the update pack released in August in which Adobe patched 11 vulnerabilities including two critical flaws. In the latest update, Adobe patched six critical vulnerabilities along with others affecting ColdFusion and Flash Player along with four other flaws.
Adobe Patched Six Critical Vulnerabilities In ColdFusion Along With Other Bugs
On September 11, 2018, Adobe released another comprehensive update bundle after a month fixing multiple bugs. Adobe patched six critical vulnerabilities this time that affected its ColdFusion, they explained about the updates on its website this Tuesday.
“Adobe has released security updates for ColdFusion versions 2018, 2016 and 11. These updates resolve critical vulnerabilities that could lead to arbitrary code execution.”
Allegedly, five out of the six vulnerabilities primarily were code execution flaws that could allow an attacker to execute arbitrary commands. Whereas, the sixth critical flaw allowed a bad actor to overwrite an arbitrary file.
With regards to the critical code execution vulnerabilities, four of these belonged to the same category, that is, deserialization of untrusted data. They have received the CVE numbers CVE-2018-15957, CVE-2018-15958, CVE-2018-15959, and CVE-2018-15965. Whereas, the other two critical flaws include arbitrary code execution allowing unrestricted file upload (CVE-2018-15961), and an arbitrary file overwrite vulnerability exploiting “use of a component with a known vulnerability” (CVE-2018-15960).
In addition to these, Adobe also fixed two important vulnerabilities (CVE-2018-15962 and CVE-2018-15963), and a moderately severe information disclosure vulnerability (CVE-2018-15964).
Adobe September Patch Tuesday Also Fixed An Important Vulnerability In Flash Player
Apart from the 9 vulnerabilities in ColdFusion, Adobe also patched an important vulnerability its Flash Player. They announced it separately on their website. However, the update was released on the same day. Adobe explained that the update addressed Flash Player for Windows, Linux, MacOS, and ChromeOS. As stated in their disclosure,
“These updates address an important vulnerability in Adobe Flash Player 126.96.36.199 and earlier versions. Successful exploitation could lead to information disclosure.”
It was mainly a privilege escalation vulnerability (CVE-2018-15967) that could result in information disclosure. The products affected by this vulnerability include Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Internet Explorer 11 and Microsoft Edge.
Users can easily protect their Adobe Flash Player from this vulnerability by updating to the latest 188.8.131.52 version.
Take your time to comment on this article.