'

Adobe patches critical vulnerabilities in Flash, InDesign

Workstation users should treat the latest Adobe security bulletin seriously.

Adobe has released a new security update which resolves critical vulnerabilities in products including Adobe Flash Player and Adobe InDesign.

On Tuesday, the tech giant published a security advisory detailing a total of 19 vulnerabilities in Adobe Flash Player, Adobe Experience Manager, Adobe InDesign CC, Digital Editions, ColdFusion and the Adobe PhoneGap Push plugin.

Adobe Flash, a common inclusion in the company's security updates, has received a patch which resolves critical vulnerabilities which affect Adobe Flash Player version 29.0.0.113 and earlier on Windows, Macintosh, Linux and Chrome OS systems.

In total, three vulnerabilities are deemed critical. A use-after-free flaw, CVE-2018-4932, and two out-of-bounds write errors, CVE-2018-4935 and CVE-2018-4937, can all lead to remote code execution if exploited.

In addition, Adobe has patched two additional out-of-bounds read bugs, CVE-2018-4933 and CVE-2018-4934, as well as a heap overflow issue, CVE-2018-4936. These vulnerabilities can lead to information disclosure.

Three vulnerabilities have also been resolved in Adobe Experience Manager. Impacting versions 6.0 -- 6.3, the update resolves a stored cross-site scripting vulnerability (CVE-2018-4929) and two cross-site scripting vulnerabilities (CVE-2018-4930, CVE-2018-4931). These vulnerabilities can all lead to sensitive information leaks.

Adobe InDesign has also received a security update this month. A critical memory corruption vulnerability (CVE-2018-4928) caused by unsafe parsing of a specially crafted .inx file and an untrusted search path vulnerability (CVE-2018-4927) in the InDesign installer has been patched.

The critical security flaw, if exploited, can lead to arbitrary code execution, while the slightly less dangerous issue can lead to local privilege escalation.

Two vulnerabilities have been patched in Adobe Digital Editions, CVE-2018-4925 and CVE-2018-4926. The out-of-bounds read and stack overflow bugs, which impact versions 4.5.7 and below, can lead to information disclosure.

A set of vulnerabilities impacting Coldfusion has also been resolved. The bugs impact the 2016 ColdFusion release update 5 and earlier, as well as ColdFusion 11, update 13 and earlier versions.

Two critical vulnerabilities, CVE-2018-4939 and CVE-2018-4942, are bugs which permit the deserialization of untrusted data and unsafe XML external entity processing. If exploited, these security flaws may lead to remote code execution and information disclosure.

Adobe also patched an insecure library loading vulnerability (CVE-2018-4938), a cross-site scripting vulnerability that could lead to code injection (CVE-2018-4940), and another cross-site scripting bug (CVE-2018-4941) which may lead to data leaks.

The security update issued for the Adobe PhoneGap Push Plugin which resolves one vulnerability.

The patch resolves an "important" Same-Origin Method Execution (SOME) vulnerability (CVE-2018-4943) that exists in PhoneGap apps built with version 2.1.0 of the Push plugin.

"This vulnerability could be exploited to trick users of PhoneGap apps into executing click events and other unintended user interactions," Adobe says.

Adobe recommends that users update their software builds immediately to the latest versions in order to stay protected from the potential exploit of these bugs.

The company thanked researchers from Google Project Zero, Tencent PC Manager, and Beihang University for reporting some of the vulnerabilities.

See also: Windows security: Microsoft issues Adobe patch to tackle Flash zero-day

"Adobe has released 6 bulletins covering 19 vulnerabilities in Flash Player, Experience Manager, InDesign, Digital Editions, Coldfusion, and the PhoneGap Push Plugin," commented Jimmy Graham, Qualys Director of Product Management. "Of the 19, six are marked as critical in Flash, InDesign, and Coldfusion. Coldfusion servers should be patched as soon as possible. Patches for Flash or InDesign should also be treated as high priority for Workstation-type devices."

In March, Adobe's security release resolved flaws in Adobe Flash Player, Connect, and Dreamweaver. Two Adobe Flash vulnerabilities earned the most critical ratings, a use-after-free flaw and type confusion bug which impact Adobe Flash Player 28.0.0.161 and earlier on the Windows, Macintosh, Linux, and Chrome OS platforms.

If exploited, the vulnerabilities may lead to arbitrary code execution.

Previous and related coverage