Adobe Systems has issued critical security updates addressing a total of 112 vulnerabilities across its various software products, many of which pose a significant risk for exploitation. The vulnerabilities specifically target Adobe Flash Player, Adobe Experience Manager, Adobe Connect, and Adobe Acrobat and Reader.
Notably, this month’s updates do not include any vulnerabilities that were publicly disclosed or found to be actively exploited in the wild. However, the potential impact of these vulnerabilities necessitates immediate attention from users and administrators.
The security enhancements for Adobe Flash Player include patches for two vulnerabilities categorized as critical. The most severe of these, identified as CVE-2018-5007, is a “type confusion” flaw that could allow an attacker to execute arbitrary code on the targeted system, exploiting the system under the context of the current user. This vulnerability was reported by willJ from Tencent PC Manager, in collaboration with Trend Micro’s Zero Day Initiative. The second vulnerability, also concerning but deemed important by Adobe, could allow for the retrieval of sensitive information, though details remain undisclosed.
Affected versions of Flash Player include version 30.0.0.113 and earlier, spanning various platforms such as Windows, macOS, Linux, and Chrome OS, along with browsers like Google Chrome, Microsoft Internet Explorer 11, and Microsoft Edge.
In addition, Adobe has addressed 104 security vulnerabilities in Adobe Acrobat and Reader, with 51 of these rated as critical. These vulnerabilities encompass various types of risks, including heap overflows, use-after-free vulnerabilities, and out-of-bounds write errors, allowing an attacker to potentially execute arbitrary code in the context of the current user. These vulnerabilities were reported by several security researchers from firms such as Palo Alto Networks and Kaspersky Lab.
The affected versions of Adobe Acrobat and Reader include the Continuous Track 2018.011.20040 and earlier, as well as Classic 2017 and 2015 Tracks. The vulnerabilities primarily affect users on Windows and macOS platforms.
Adobe Experience Manager, a significant enterprise content management solution, has also had its share of vulnerabilities addressed this month. Three important Server-Side Request Forgery (SSRF) vulnerabilities have been patched, which could lead to the disclosure of sensitive information. The discoveries of these vulnerabilities were credited to Russian researcher Mikhail Egorov, highlighting the ongoing need for robust security measures.
Lastly, Adobe Connect, a platform widely used for presentations and web conferencing, has seen updates addressing three significant vulnerabilities, two of which could allow potential attackers to bypass authentication mechanisms and hijack web sessions, ultimately leading to sensitive information theft. The third vulnerability poses a privilege escalation risk due to insecure library loading.
All users and administrators are urged to install the latest security updates promptly to mitigate risks associated with these vulnerabilities. Organizations should remain vigilant and thorough in their cybersecurity practices as vulnerabilities in widely used software applications can present broad risks, supporting the need for strategic enhancements based on insights from frameworks such as the MITRE ATT&CK Matrix. Understanding potential adversary tactics, including initial access and privilege escalation, is essential for fortifying defenses against these types of vulnerabilities.