Adobe Flash, Application Manager patch update squashes critical code execution bugs

Two bugs could lead to arbitrary code being let loose on infected systems.

Adobe's cloud pivot: What we've learned A decade ago, Adobe bought Omniture in a deal that revolved around creativity, content and data merging. It sounded a bit nutty at the time, but turned out to be one of enterprise software's best bets. Read more: https://zd.net/2Lxtpzf

Adobe's monthly patch update is rather small but addresses two critical vulnerabilities in Flash, a common entrant in the firm's security releases. 

On Tuesday, the software giant published a security advisory detailing the two bugs, which impact Adobe Flash Player desktop, version 32.0.0.238 and earlier on Windows, macOS, and Linux machines, as well as Adobe Flash Player for Google Chrome on Windows, macOS, Linux, and Chrome OS. 

In addition, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 version 32.0.0.207  and earlier on Windows 10 and 8.1 are affected. 

See also: Adobe's Omniture purchase a decade ago, set stage for cloud shift, Experience Cloud

The first vulnerability, CVE-2019-8070, is a critical use-after-free bug, whereas the second, CVE-2019-8069, is a same origin method execution problem in the software. 

If exploited, both security flaws can lead to arbitrary code execution within the context of the current user. 

The tech giant has also released a fix for the installer used with Adobe Application Manager, version 10.0. A single insecure library loading vulnerability, CVE-2019-8076, has been found in the Windows version of the installer that can be exploited to permit DLL hijacking. 

CNET: Mozilla tests Firefox VPN service to help protect your privacy

"This vulnerability exclusively impacts the installer used with the Adobe Application Manager," Adobe said. "CVE-2019-8076 does not impact the existing Application Manager, and there is no action for customer[s] running earlier versions."

Adobe thanked Hamdi Maamri, Eduardo Braun Prado, and the Trend Micro Zero Day Initiative for reporting the vulnerabilities. It is recommended that users either allow automatic updates or upgrade their builds via the product's update mechanism. 

In August, Adobe resolved security problems in a variety of software. In total, 75 vulnerabilities in Acrobat and Reader were fixed, alongside 34 bugs in Photoshop, four security flaws in Creative Cloud Desktop, a single vulnerability in Adobe Experience Manager, and several smaller fixes for Prelude and After Effects. 

TechRepublic: Gartner proposes framework to manage regulations for our digital society

Vulnerabilities resolved include out-of-bounds read/write flaws, heap overflow problems, type confusion bugs, and command injection issues. 

Right on schedule, Microsoft has also released a security update this week. Microsoft's September Patch Tuesday 2019 landed with 80 fixes, 17 of which were for vulnerabilities deemed critical. Among the fixes were patches for two zero-day elevation of privilege vulnerabilities, CVE-2019-1214 and CVE-2019-1215. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0