Adobe Flash, Application Manager patch update squashes critical code execution bugs

Two bugs could lead to arbitrary code being let loose on infected systems.
Written by Charlie Osborne, Contributing Writer

Adobe's monthly patch update is rather small but addresses two critical vulnerabilities in Flash, a common entrant in the firm's security releases. 

On Tuesday, the software giant published a security advisory detailing the two bugs, which impact Adobe Flash Player desktop, version and earlier on Windows, macOS, and Linux machines, as well as Adobe Flash Player for Google Chrome on Windows, macOS, Linux, and Chrome OS. 

In addition, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 version  and earlier on Windows 10 and 8.1 are affected. 

See also: Adobe's Omniture purchase a decade ago, set stage for cloud shift, Experience Cloud

The first vulnerability, CVE-2019-8070, is a critical use-after-free bug, whereas the second, CVE-2019-8069, is a same origin method execution problem in the software. 

If exploited, both security flaws can lead to arbitrary code execution within the context of the current user. 

The tech giant has also released a fix for the installer used with Adobe Application Manager, version 10.0. A single insecure library loading vulnerability, CVE-2019-8076, has been found in the Windows version of the installer that can be exploited to permit DLL hijacking. 

CNET: Mozilla tests Firefox VPN service to help protect your privacy

"This vulnerability exclusively impacts the installer used with the Adobe Application Manager," Adobe said. "CVE-2019-8076 does not impact the existing Application Manager, and there is no action for customer[s] running earlier versions."

Adobe thanked Hamdi Maamri, Eduardo Braun Prado, and the Trend Micro Zero Day Initiative for reporting the vulnerabilities. It is recommended that users either allow automatic updates or upgrade their builds via the product's update mechanism. 

In August, Adobe resolved security problems in a variety of software. In total, 75 vulnerabilities in Acrobat and Reader were fixed, alongside 34 bugs in Photoshop, four security flaws in Creative Cloud Desktop, a single vulnerability in Adobe Experience Manager, and several smaller fixes for Prelude and After Effects. 

TechRepublic: Gartner proposes framework to manage regulations for our digital society

Vulnerabilities resolved include out-of-bounds read/write flaws, heap overflow problems, type confusion bugs, and command injection issues. 

Right on schedule, Microsoft has also released a security update this week. Microsoft's September Patch Tuesday 2019 landed with 80 fixes, 17 of which were for vulnerabilities deemed critical. Among the fixes were patches for two zero-day elevation of privilege vulnerabilities, CVE-2019-1214 and CVE-2019-1215. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards