Adobe's monthly patch update is now available and fixes a handful of vulnerabilities in Flash, ColdFusion, and Campaign Classic.
The June round of fixes released by the tech giant focuses on patching problems which could lead to arbitrary code execution in the software.
In Adobe Flash, a single vulnerability has been resolved for software versions 220.127.116.11 and earlier on Windows, macOS, Linux, and Chrome OS.
The bug, CVE-2019-7845, is a use-after-free security flaw which can lead to code execution if exploited.
Three vulnerabilities -- CVE-2019-7838, CVE-2019-7839, and CVE-2019-7840 have been patched in Adobe ColdFusion 11, 2016, and 2018. The file extension blacklist bypass, command injection, and deserialization of untrusted data error could all lead to arbitrary code execution if left unresolved.
In addition, seven vulnerabilities have been smoothed over in Adobe Campaign Classic, software which is not a common participant in Adobe's patch updates. Versions 18.10.5-8984 and earlier on Windows and Linux machines are affected.
The single critical issue in the batch, CVE-2019-7850, is a command injection bug which can lead to arbitrary code execution.
Five other vulnerabilities, CVE-2019-7843, CVE-2019-7941, CVE-2019-7846, CVE-2019-7848, and CVE-2019-7849 can all be exploited for the purposes of information disclosure, and CVE-2019-7847 provides read access to the file system.
Users should accept automatic updates to mitigate the risk of exploit.
Adobe thanked researchers from Trend Micro's Zero Day Initiative, 404 Team, Booz Allen Hamilton and Aon's Cyber Solutions for submitting the bug reports.
The latest round of patches builds upon Adobe's previous set of security fixes, released in May. The former update resolved 84 vulnerabilities -- all of which were deemed either important or critical -- in Flash, Acrobat, and Reader.
This week, Microsoft also released the firm's customary round of monthly security updates. In total, 88 bugs were patched and of particular note is the resolution of four out of five zero-day vulnerabilities published in May by an exploit seller known as SandboxEscaper.
Previous and related coverage
- Adobe security update released for critical Flash, Acrobat, Reader bugs
- Micropatch released for Adobe Reader zero-day vulnerability
- Adobe releases out-of-band update to patch ColdFusion zero-day
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0