Critical Code Execution Flaw Patched in Flash Player
Adobe has patched several vulnerabilities in its Flash Player, Creative Cloud and Connect products, but the company believes it's unlikely that the flaws will be exploited in the wild any time soon. Only one vulnerability has been patched in Flash Player with the release of version 22.214.171.124 for Windows, Mac, Linux and Chrome OS. The issue, reported to Adobe by Jihui Lu of Tencent KeenLab, impacts Flash Player 126.96.36.199 and earlier versions.
The flaw is a critical type confusion that allows arbitrary code execution (CVE-2018-4944), but Adobe has assigned it a severity rating of "2," which indicates that exploits are not considered imminent and there is no rush to install the update. A total of three security holes have been patched by Adobe in the Creative Cloud desktop applications for Windows and macOS. Researchers discovered that version 188.8.131.528 and earlier of the apps are impacted by an improper input validation issue that can lead to privilege escalation, an improper certificate validation problem that can lead to a security bypass, and a flaw described as an "unquoted search path" that can be exploited for privilege escalation.
The certificate validation vulnerability has been classified "critical," while the other two issues have been rated "important." All of them have a priority rating of "2." Wei Wei of Tencent's Xuanwu Lab, Ryan Hileman of Talon Voice, Chi Chou, and Cyril Vallicari of HTTPCS - Ziwit have been credited for finding the flaws. Finally, Adobe patched an "important" authentication bypass vulnerability affecting Connect versions 9.7.5 and earlier.
Exploitation of the flaw can result in the exposure of sensitive information. Related: Adobe Patches Vulnerabilities in Six Products Related: Adobe Patches Flash Zero-Day Exploited by North Korean Hackers