1. IT-Security >
  2. Cyber Security Nachrichten >
  3. Adobe Patches Critical Code Execution Flaws in Dreamweaver, Flash


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

Adobe Patches Critical Code Execution Flaws in Dreamweaver, Flash

RSS Kategorie Pfeil IT Security Nachrichten vom | Quelle: feedproxy.google.com Direktlink öffnen

Security updates released by Adobe on Tuesday patch several vulnerabilities in the company’s Dreamweaver, Flash Player and Connect products.

Flash Player 29.0.0.113 for Windows, Mac, Linux and Chrome OS addresses two critical flaws affecting versions 28.0.0.161 and earlier.

The vulnerabilities have been described as a use-after-free bug (CVE-2018-4919) and a type confusion issue (CVE-2018-4920), both of which can be exploited for remote code execution. While they have been classified as critical, Adobe has assigned them a priority rating of “2,” which indicates that the company does not expect to see exploits any time soon.

The security holes were discovered by Yuki Chen of Qihoo 360 Vulcan Team, who reported them to Adobe via the Chromium Vulnerability Rewards Program.

In Dreamweaver CC, Adobe resolved a critical OS command injection vulnerability discovered by researcher Andrea Micalizzi, also known as “rgod.” The flaw is serious, but the product has never been targeted by hackers, at least to Adobe’s knowledge.

The flaw, CVE-2018-4924, affects versions 18.0 and earlier for Windows and it’s related to the Dreamweaver URI handler. An attacker can exploit the weakness for arbitrary code execution in the context of the current user.

The latest version of Adobe Connect patches two important vulnerabilities: an OS command injection flaw that can lead to arbitrary file deletion, and an unrestricted SWF file upload bug that can be exploited for cross-site scripting (XSS) attacks. Micalizzi and Ciaran McNally have been credited for finding the flaws.

Adobe was recently forced to release an out-of-band update for Flash Player after learning of a vulnerability that had been exploited in targeted attacks by a threat actor believed to be from North Korea.

Microsoft’s Patch Tuesday updates for this month fix over 70 vulnerabilities, including more than a dozen critical flaws affecting the Edge and Internet Explorer web browsers.

Related: Adobe Patches 'Business Logic Error' in Flash Player

Related: Adobe Patch Tuesday Updates Fix Only One Flash Player Flaw

Related: Adobe Patches 39 Vulnerabilities in Acrobat and Reader

view counter
Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
...

Webseite öffnen Komplette Webseite öffnen

Newsbewertung

Kommentiere zu Adobe Patches Critical Code Execution Flaws in Dreamweaver, Flash






Ähnliche Beiträge

  • 1. Announcing TypeScript 3.2 vom 397.57 Punkte ic_school_black_18dp
    TypeScript 3.2 is here today! If you’re unfamiliar with TypeScript, it’s a language that brings static type-checking to JavaScript so that you can catch issues before you even run your code – or before you even save your file. It also includes the late
  • 2. P4wnP1 A.L.O.A. - Framework Which Turns A Rapsberry Pi Zero W Into A Flexible, Low-Cost Platform For Pentesting, Red Teaming And Physical Engagements vom 394.11 Punkte ic_school_black_18dp
    P4wnP1 A.L.O.A. by MaMe82 is a framework which turns a Rapsberry Pi Zero W into a flexible, low-cost platform for pentesting, red teaming and physical engagements ... or into "A Little Offensive Appliance".0. How to installThe latest image could be fou
  • 3. Adobe Patches Critical Code Execution Flaws in Dreamweaver, Flash vom 393.45 Punkte ic_school_black_18dp
    Security updates released by Adobe on Tuesday patch several vulnerabilities in the company’s Dreamweaver, Flash Player and Connect products. Flash Player 29.0.0.113 for Windows, Mac, Linux and Chrome OS addresses two critical flaws affecting versions 28.
  • 4. Announcing TypeScript 3.5 vom 385.99 Punkte ic_school_black_18dp
    Today we’re happy to announce the availability of TypeScript 3.5! If you’re new to TypeScript, it’s a language that builds on JavaScript that adds optional static types. TypeScript code gets type-checked to avoid common mistakes like typos and
  • 5. TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors vom 379 Punkte ic_school_black_18dp
    Original release date: April 27, 2017 | Last revised: May 14, 2017Systems Affected Networked Systems Overview The National Cybersecurity and Communications Integration Center (NCCIC) has become aware of an emerging sophisticated campaign, occurrin
  • 6. Announcing TypeScript 3.5 RC vom 369.27 Punkte ic_school_black_18dp
    Today we’re happy to announce the availability of our release candidate (RC) of TypeScript 3.5. Our hope is to collect feedback and early issues to ensure our final release is simple to pick up and use right away. To get started using the RC, you ca
  • 7. TIDoS Framework - The Offensive Web Application Penetration Testing Framework vom 366.69 Punkte ic_school_black_18dp
    TIDoS Framework is a comprehensive web-app audit framework. let's keep this simpleHighlights :-The main highlights of this framework is: TIDoS Framework now boasts of a century+ of modules. A complete versatile framework to cover up everything from
  • 8. TIDoS-Framework v1.7 - The Offensive Manual Web Application Penetration Testing Framework vom 364.12 Punkte ic_school_black_18dp
    TIDoS Framework is a comprehensive web-app audit framework. let's keep this simpleHighlights :-The main highlights of this framework is: TIDoS Framework now boasts of a century+ of modules. A complete versatile framework to cover up everything from
  • 9. Me playing with a tunnel. I don't do it every day! :) vom 352.54 Punkte ic_school_black_18dp
    23:05:18.031621 IP xxx.openvpn > cxxxxst.net.50451: UDP, length 40 [email protected]@..-....I"<@.....0..H.........#..pbu7 .$...E.%tx.. 23:05:23.186044 IP cxxxxx.50451 > xxxx.openvpn: UDP, length 67 .....[.#.....6.V.... s.9.K..H......HPv.|1..N .y. )..z
  • 10. DevAudit - Open-source, Cross-Platform, Multi-Purpose Security Auditing Tool vom 335.37 Punkte ic_school_black_18dp
    DevAudit is an open-source, cross-platform, multi-purpose security auditing tool targeted at developers and teams adopting DevOps and DevSecOps that detects security vulnerabilities at multiple levels of the solution stack. DevAudit provides a wide array o
  • 11. RCE Without Native Code: Exploitation of a Write-What-Where in Internet Explorer vom 331.23 Punkte ic_school_black_18dp
    On the last day of 2018, I discovered a type confusion vulnerability in Internet Explorer that yields a clean write-what-where primitive. It patched this April as CVE-2019-0752. As an exercise, I wrote a full exploit for this vulnerability using an original exploitation technique. Even though the vulnerability itself produces only a controlled write and
  • 12. TA17-293A: Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors vom 331.09 Punkte ic_school_black_18dp
    Original release date: October 20, 2017 | Last revised: October 23, 2017Systems Affected Domain ControllersFile ServersEmail ServersOverview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Securi