Pierluigi Paganini September 13, 2017

This month, Adobe has patched only two vulnerabilities in Flash Player, both are critical issues that could be exploited for remote code execution.

The vulnerabilities are tracked as CVE-2017-11281 and CVE-2017-11282, they were discovered by Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero. Both vulnerabilities are caused by memory corruption issues and affect the Flash Player 26.0.0.151 and earlier.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address two critical memory corruption vulnerabilities that could lead to code execution.” reads the security advisory published by Adobe.

Fortunately, there was no evidence that the vulnerabilities had been exploited in the wild before the patches were released.

Adobe also fixed two vulnerabilities affecting the Windows version of the help authoring tool RoboHelp.

The first issue in RoboHelp is an important input validation vulnerability that could be exploited by attackers to cross-site scripting (XSS) attacks, the second one is a moderate-severity unvalidated URL redirect issue that can be exploited to conduct phishing attacks.

“Adobe has released a security update for RoboHelp for Windows. This update resolves an important input validation vulnerability that could be used in a cross-site scripting attack (CVE-2017-3104), as well as an unvalidated URL redirect vulnerability rated moderate that could be used in phishing campaigns (CVE-2017-3105).” reads the security advisory.

The vulnerabilities affect RoboHelp 2017.0.1 and earlier and 12.0.4.460 and earlier. The flaws have been reported by Reynold Regan of the CNSI – Center for Technology & Innovation in Chennai.

Adobe also released security updates to fix four bugs in ColdFusion 11 and 2016, including a critical XML parsing vulnerability and a cross-site scripting vulnerability that can lead to information disclosure.

Nick Bloor of NCC Group, Daniel Sayk of Telekom Security, and Daniel Lawson of Depth Security have reported these vulnerabilities to Adobe.

Adobe also addressed a mitigation for an unsafe Java deserialization that could result in remote code execution.

The updates include the Update 5 for the ColdFusion’s 2016 release and the Update 13 for ColdFusion 11.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Adobe Flash Player, hacking)

[adrotate banner=”12″]