Adobe has patched a set of critical vulnerabilities which can lead to remote code execution, information leaks, and file deletion.
On Tuesday, the tech giant’s security advisory noted that the vulnerabilities impact Adobe Flash Player, Adobe Connect, and Adobe Dreamweaver CC.
Two vulnerabilities which relate to Flash, a use-after-free flaw (CVE-2018-4919) and type confusion bug (CVE-2018-4920), are critical vulnerabilities which impact Adobe Flash Player 22.214.171.124 and earlier on the Windows, Macintosh, Linux and Chrome OS platforms.
Adobe says that successful exploitation may lead to arbitrary code execution in the context of current users.
“This patch remediates two critical vulnerabilities and should be prioritized for workstation-type devices,” said Jimmy Graham, Qualys Director of Product Management. “There are currently no active attacks against these vulnerabilities.”
Adobe also addressed two vulnerabilities in Adobe Connect. The first security flaw, CVE-2018-4923, is an OS Command Injection bug which can lead to arbitrary file deletion. The second vulnerability, CVE-2018-4921, is an error which causes unrestricted SWF file uploads and may lead to information disclosure.
The final bug, CVE-2018-4924, is a critical OS Command Injection flaw in Adobe Dreamweaver CC. If successfully exploited, attackers can execute arbitrary code.
Adobe thanked Yuki Chen of Qihoo 360 Vulcan Team working alongside the Chromium Vulnerability Rewards Program and independent researchers Rgod and Ciaran McNally for reporting the issues.
The company recommends that users update their software versions immediately to stay protected.
See also: Windows security: Microsoft issues Adobe patch to tackle Flash zero-day
In February, Adobe addressed a total of 41 vulnerabilities across Adobe Acrobat and Reader.
In total, 17 of which were considered critical security flaws and could be exploited by attackers to perform the remote execution of code.