Adobe Issues September Security Patches for Critical Vulnerabilities in Flash Player and ColdFusion
Adobe has announced its September 2018 security updates, addressing a total of ten vulnerabilities related to its Flash Player and ColdFusion products. Among these, six have been categorized as critical, particularly affecting ColdFusion, and potentially allowing attackers to execute arbitrary code on compromised servers.
For Adobe users, this month’s updates bear a mixed bag of news. Notably, the Adobe Acrobat and Reader applications remain untouched with no new patches issued, which indicates stability in those platforms. However, an important vulnerability related to privilege escalation in Adobe Flash Player (CVE-2018-15967) has been patched, suggesting that while Adobe’s efforts are ongoing, risk levels remain a concern.
Adobe also confirmed that none of these vulnerabilities had been publicly disclosed or reported as actively exploited. This information may provide some reassurance to businesses that have yet to update their systems, though staying proactive is advisable.
Regarding ColdFusion, Adobe delivered crucial patches for nine distinct security vulnerabilities, six of which were classified as critical. The advisory from Adobe highlighted several deserialization issues (CVE-2018-15965, CVE-2018-15957, CVE-2018-15958, CVE-2018-15959) susceptible to arbitrary code execution. These vulnerabilities are particularly alarming as they could easily be exploited by malicious actors aiming for remote access to sensitive systems.
Among the additional vulnerabilities addressed, one critical issue involves an unrestricted file upload (CVE-2018-15961) that poses a direct risk of arbitrary code execution, while another flaw (CVE-2018-15960) could lead to arbitrary file overwrites. Furthermore, two vulnerabilities classified as important were resolved: a security bypass flaw allowing arbitrary folder creation (CVE-2018-15963) and a directory listing issue that could enable information disclosure (CVE-2018-15962). A moderate information disclosure bug (CVE-2018-15964) was also addressed.
These vulnerabilities affect various ColdFusion versions, with specific repercussions for those utilizing 2016 (Update 6 and earlier), the July 12, 2018 release, and ColdFusion 11 (Update 14 and earlier). Adobe recommends users update to ColdFusion 2018 Update 1, ColdFusion 2016 Update 7, and ColdFusion 11 Update 15 to mitigate these risks.
In addition to the ColdFusion updates, Adobe has also released a patch for Flash Player, which affects users on all major operating systems. Similar to ColdFusion’s critical vulnerabilities, the identified Flash Player issue may compromise user information and is categorized as a privilege escalation vulnerability (CVE-2018-15967). Users are urged to update to Flash Player version 31.0.0.208 promptly to enhance their security posture.
Considering these developments, it is crucial for businesses and IT administrators to remain vigilant and prioritize patching to protect against potential attacks leveraging these vulnerabilities. Threats like these could employ various MITRE ATT&CK tactics, such as initial access and privilege escalation, underscoring the need for a comprehensive defense strategy against ever-evolving cybersecurity threats.