Adobe Systems continues to provide essential security updates for its products, even as it prepares to retire Flash Player by the end of 2020. Recently, the company issued a suite of patches addressing eight critical vulnerabilities across three products, notably two in Flash Player, four in ColdFusion, and two in RoboHelp. Among these vulnerabilities, five have been deemed critical, which raises significant concerns for users and businesses reliant on these applications.

The vulnerabilities in Flash Player are particularly alarming due to their potential for remote code execution, representing a significant threat to any affected devices. Classified as critical, these flaws—tracked as CVE-2017-11281 and CVE-2017-11282—were identified by researchers from Google’s Project Zero team, highlighting the persistent risk that outdated software can present.

Both of these vulnerabilities exploit memory corruption issues that can affect major operating systems, including Windows, macOS, Linux, and Chrome OS. The timely release of updated software, specifically Flash Player version 27.0.0.130, provides users with necessary protections against these exploits. As noted by Adobe, no known exploits have yet been observed in active environments, but vigilance remains essential.

For ColdFusion, the situation is similarly critical. Among the addressed vulnerabilities is an XML parsing issue (CVE-2017-11286) that carries a critical rating. Additionally, there is an important XSS (cross-site scripting) vulnerability (CVE-2017-11285) that could lead to information disclosure. The risks inherent in unsafe Java deserialization processes, which can facilitate remote code execution, are tracked as CVE-2017-11283 and CVE-2017-11284. This suite of vulnerabilities has been reported by a group of security experts from NCC Group, Telekom Security, and Depth Security, with patches now integrated into the latest versions of Adobe ColdFusion.

Lastly, the RoboHelp product is not exempt from vulnerabilities. There, an important input validation flaw (CVE-2017-3104) presents a risk for DOM-based XSS attacks, while a moderate severity URL redirection issue (CVE-2017-3105) could be weaponized in phishing campaigns. The recent updates address these flaws in the most current RoboHelp releases, version RH2017.0.2 and RH12.0.4.460.

Although Adobe has reported no active exploitation of these vulnerabilities, users are strongly advised to implement the patches immediately to mitigate potential risks from remote attacks. As businesses navigate an increasingly sophisticated cybersecurity landscape, staying updated with the latest security measures is not just advisable—it’s essential.

Considering the tactics and techniques from the MITRE ATT&CK Matrix, the vulnerabilities could have facilitated initial access and remote execution tactics, underscoring the need for proactive cybersecurity measures. Business owners are encouraged to remain vigilant and prioritize cybersecurity best practices to safeguard sensitive data and infrastructure amidst evolving threats.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.