Adobe's monthly patch update is rather small but addresses two critical vulnerabilities in Flash, a common entrant in the firm's security releases.
On Tuesday, the software giant published a security advisory detailing the two bugs, which impact Adobe Flash Player desktop, version 18.104.22.168 and earlier on Windows, macOS, and Linux machines, as well as Adobe Flash Player for Google Chrome on Windows, macOS, Linux, and Chrome OS.
In addition, Adobe Flash Player for Microsoft Edge and Internet Explorer 11 version 22.214.171.124 and earlier on Windows 10 and 8.1 are affected.
The first vulnerability, CVE-2019-8070, is a critical use-after-free bug, whereas the second, CVE-2019-8069, is a same origin method execution problem in the software.
If exploited, both security flaws can lead to arbitrary code execution within the context of the current user.
The tech giant has also released a fix for the installer used with Adobe Application Manager, version 10.0. A single insecure library loading vulnerability, CVE-2019-8076, has been found in the Windows version of the installer that can be exploited to permit DLL hijacking.
"This vulnerability exclusively impacts the installer used with the Adobe Application Manager," Adobe said. "CVE-2019-8076 does not impact the existing Application Manager, and there is no action for customer[s] running earlier versions."
Adobe thanked Hamdi Maamri, Eduardo Braun Prado, and the Trend Micro Zero Day Initiative for reporting the vulnerabilities. It is recommended that users either allow automatic updates or upgrade their builds via the product's update mechanism.
In August, Adobe resolved security problems in a variety of software. In total, 75 vulnerabilities in Acrobat and Reader were fixed, alongside 34 bugs in Photoshop, four security flaws in Creative Cloud Desktop, a single vulnerability in Adobe Experience Manager, and several smaller fixes for Prelude and After Effects.
Vulnerabilities resolved include out-of-bounds read/write flaws, heap overflow problems, type confusion bugs, and command injection issues.
Right on schedule, Microsoft has also released a security update this week. Microsoft's September Patch Tuesday 2019 landed with 80 fixes, 17 of which were for vulnerabilities deemed critical. Among the fixes were patches for two zero-day elevation of privilege vulnerabilities, CVE-2019-1214 and CVE-2019-1215.
Previous and related coverage
- Adobe rolls out Photoshop inspired analytics toolset in Experience Cloud
- Adobe security patch update tackles Photoshop, Acrobat, Reader, and more
- Adobe patch update squashes critical code execution bugs
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0