Adobe fixes critical security flaws in Flash, ColdFusion, Campaign

Fixing code execution bugs was a priority this month for Adobe.
Written by Charlie Osborne, Contributing Writer

Adobe's monthly patch update is now available and fixes a handful of vulnerabilities in Flash, ColdFusion, and Campaign Classic.

The June round of fixes released by the tech giant focuses on patching problems which could lead to arbitrary code execution in the software.

In Adobe Flash, a single vulnerability has been resolved for software versions and earlier on Windows, macOS, Linux, and Chrome OS. 

The bug, CVE-2019-7845, is a use-after-free security flaw which can lead to code execution if exploited.

See also: Adobe patch update squashes critical code execution bugs

Three vulnerabilities -- CVE-2019-7838, CVE-2019-7839, and CVE-2019-7840 have been patched in Adobe ColdFusion 11, 2016, and 2018. The file extension blacklist bypass, command injection, and deserialization of untrusted data error could all lead to arbitrary code execution if left unresolved.

In addition, seven vulnerabilities have been smoothed over in Adobe Campaign Classic, software which is not a common participant in Adobe's patch updates. Versions 18.10.5-8984 and earlier on Windows and Linux machines are affected.

The single critical issue in the batch, CVE-2019-7850, is a command injection bug which can lead to arbitrary code execution.

Five other vulnerabilities, CVE-2019-7843, CVE-2019-7941, CVE-2019-7846, CVE-2019-7848, and CVE-2019-7849 can all be exploited for the purposes of information disclosure, and CVE-2019-7847 provides read access to the file system.

TechRepublic: How to protect your network against security flaws in Microsoft's NTLM protocol

Users should accept automatic updates to mitigate the risk of exploit. 

Adobe thanked researchers from Trend Micro's Zero Day Initiative, 404 Team, Booz Allen Hamilton and Aon's Cyber Solutions for submitting the bug reports.

The latest round of patches builds upon Adobe's previous set of security fixes, released in May. The former update resolved 84 vulnerabilities -- all of which were deemed either important or critical -- in Flash, Acrobat, and Reader.

CNET: 6 steps to secure your Facebook account right now

This week, Microsoft also released the firm's customary round of monthly security updates. In total, 88 bugs were patched and of particular note is the resolution of four out of five zero-day vulnerabilities published in May by an exploit seller known as SandboxEscaper.

Europol’s top hacking ring takedowns

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards