ZDNet | Security

Adobe patch update squashes critical code execution bugs

Adobe has released a large patch security update for various software offerings which resolves a number of critical and important bugs.

On Tuesday, the tech giant’s security bulletin listed an update to bolster the security of Adobe Bridge CC, Adobe Experience Manager Forms, InDesign, Adobe XD, Adobe Dreamweaver, Adobe Shockwave Player, Adobe Flash Player, and Adobe Acrobat and Reader.

The vulnerabilities resolved include some which can lead to arbitrary code execution problems, sensitive information disclosure, and remote code execution in the context of the current user.

In Adobe Bridge CC, a heap overflow bug, CVE-2019-7130, has been patched which could result in remote code execution, alongside an out-of-bounds-write flaw — CVE-2019-7132 — which can be exploited for the same purpose.

The security update also resolves six information disclosure bugs in the software.

Adobe also fixed CVE-2019-7129, a cross-site (XSS) scripting issue in Adobe Experience Manager Forms. If exploited by attackers, this may result in the leak of sensitive information.

See also: Adobe releases third patch update of the month to squash scripting bugs

When it comes to InDesign, CVE-2019-7107 has been patched. The critical bug was caused by unsafe hyperlink processing that could result in arbitrary code execution in the context of the current user. Two vulnerabilities, CVE-2019-7105 and CVE-2019-7106 have also been fixed in Adobe XD which can lead to arbitrary code execution.

A total of seven serious security flaws have also been tackled in Adobe’s latest round of patch updates for Shockwave. These bugs — CVE-2019-7098, CVE-2019-7099, CVE-2019-7100, CVE-2019-7101, CVE-2019-7102, CVE-2019-7103, and CVE-2019-7104 — are all critical memory corruption issues which can be exploited for the purpose of arbitrary code execution.

An important and critical pair of vulnerabilities, CVE-2019-7108, and CVE-2019-7096 have been tackled in Adobe Flash. The out-of-bounds read  and use-after-free flaws can result in data leaks or the deployment of arbitrary code.

TechRepublic: Vulnerability in Verizon Fios Quantum Gateway allows attackers to gain root privileges

Adobe Acrobat and Reader received a substantial update over Patch Tuesday. In total, 21 security issues were resolved; 10 of which can lead to information disclosure and 11 bugs which could be exploited for the purposes of arbitrary code execution.

A moderate security flaw, CVE-2019-7097, also impacted Adobe Dreamweaver. If Server Message Block (SMB) protocols are subject to relay attacks in the software, the bug could be harnessed to leak sensitive data.

It is recommended that users accept automatic updates for their software builds to mitigate the risk of exploit.

CNET: Deactivating your Facebook account doesn’t stop data collection

On Tuesday, Microsoft also released a bevy of patches to resolve a total of 74 security issues. Among the bugs resolved were two privilege escalation zero-day vulnerabilities impacting Win32k, code execution flaws in Microsoft Office Access Connectivity, and a remote code vulnerability in Windows GDI+.

SAP also had its own Patch Tuesday, resolving a number of issues which could result in information disclosure, spoofing, and authorization bypass. 

Previous and related coverage

READ MORE HERE