Adobe Patches Critical Code Execution Flaws in Dreamweaver, Flash

Security updates released by Adobe on Tuesday patch several vulnerabilities in the company’s Dreamweaver, Flash Player and Connect products.

Flash Player for Windows, Mac, Linux and Chrome OS addresses two critical flaws affecting versions and earlier.

The vulnerabilities have been described as a use-after-free bug (CVE-2018-4919) and a type confusion issue (CVE-2018-4920), both of which can be exploited for remote code execution. While they have been classified as critical, Adobe has assigned them a priority rating of “2,” which indicates that the company does not expect to see exploits any time soon.

The security holes were discovered by Yuki Chen of Qihoo 360 Vulcan Team, who reported them to Adobe via the Chromium Vulnerability Rewards Program.

In Dreamweaver CC, Adobe resolved a critical OS command injection vulnerability discovered by researcher Andrea Micalizzi, also known as “rgod.” The flaw is serious, but the product has never been targeted by hackers, at least to Adobe’s knowledge.

The flaw, CVE-2018-4924, affects versions 18.0 and earlier for Windows and it’s related to the Dreamweaver URI handler. An attacker can exploit the weakness for arbitrary code execution in the context of the current user.

The latest version of Adobe Connect patches two important vulnerabilities: an OS command injection flaw that can lead to arbitrary file deletion, and an unrestricted SWF file upload bug that can be exploited for cross-site scripting (XSS) attacks. Micalizzi and Ciaran McNally have been credited for finding the flaws.

Adobe was recently forced to release an out-of-band update for Flash Player after learning of a vulnerability that had been exploited in targeted attacks by a threat actor believed to be from North Korea.

Microsoft’s Patch Tuesday updates for this month fix over 70 vulnerabilities, including more than a dozen critical flaws affecting the Edge and Internet Explorer web browsers.

Related: Adobe Patches ‘Business Logic Error’ in Flash Player

Related: Adobe Patch Tuesday Updates Fix Only One Flash Player Flaw

Related: Adobe Patches 39 Vulnerabilities in Acrobat and Reader

view counter

Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Read more: Adobe Patches Critical Code Execution Flaws in Dreamweaver, Flash

Story added 13. March 2018, content source with full text you can find at link above.