Adobe patches critical vulnerabilities in Flash, Creative Cloud

The most dangerous bugs can lead to remote code execution and unauthorized privilege escalation.

Adobe has resolved a number of vulnerabilities including a remote code execution bug in the firm's May patch update.

The tech giant's latest round of security updates impacts users of the Adobe Creative Cloud Desktop application, Adobe Flash Player, and Adobe Connect, Adobe said in a security advisory on Tuesday.

Adobe Flash is constantly present in the firm's security updates, and in the latest round, Adobe has patched a critical type confusion security flaw in the software.

The bug, CVE-2018-4944, can lead to arbitrary code execution if exploited by attackers.

Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 versions 29.0.0.140 and earlier are all affected on Macintosh, Linux, Chrome OS, Windows 10 and 8.1 machines.

Adobe has also resolved three vulnerabilities in the Creative Cloud Desktop application.

Impacting Creative Cloud version 4.5.0.331 on Windows and MacOS systems, the vulnerabilities -- CVE-2018-4992, CVE-2018-4991, and CVE-2018-4873 -- can lead to security system bypass and privilege escalation. One out of the three bugs is deemed critical while the others are rated as important.

The security update has also resolved an authentication bypass vulnerability, CVE-2018-4994, in Adobe Connect versions 9.7.5 and earlier. According to the company, the successful exploit of the bug could lead to the disclosure of sensitive information.

The company has thanked Tanner LLC, Tencent's Xuanwu Lab, and Tencent KeenLab, among others, for disclosing the vulnerabilities resolved in the May update.

Adobe recommends that users accept the security update as quickly as possible in order to protect themselves against compromise.

"Adobe has released a critical fix for Adobe Flash Player," analysts at Ivanti noted. "Only one CVE is resolved, but it is rated as critical, and Flash Player is still a high-profile target on end-user systems. It is always recommended [to update] as a high priority."

See also: Adobe patches critical vulnerabilities in Flash, InDesign

In April, Adobe patched 19 security flaws in Adobe Flash Player, Adobe Experience Manager, Adobe InDesign CC, Digital Editions, ColdFusion and the Adobe PhoneGap Push plugin.

Six of the security flaws were deemed critical and placed workstations at the most risk of exploit and compromise, including the possibility of information disclosure and remote code execution.

Previous and related coverage