Adobe April Security Bulletin Tuesday fixed 4 critical flaws in Flash

Adobe April Security Bulletin Tuesday is out, the company has addressed four critical vulnerabilities in the Flash Player.

Adobe April Security Bulletin has addressed a total of 19 vulnerabilities in its products, including Flash Player, Experience Manager, InDesign CC, Digital Editions, ColdFusion and the PhoneGap Push plugin.

The company has released the Flash Player version 29.0.0.140 that fixed four critical flaws and two issues rated as important.

The flaws addressed with the Adobe April Security Bulletin Tuesday include a use-after-free, out-of-bounds read, out-of-bounds write and heap overflow bugs that could be exploited by remote attackers to execute arbitrary code on the target system and that could lead information disclosure.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 29.0.0.113 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

Below the vulnerability details

Vulnerability CategoryVulnerability ImpactSeverityCVE Number
Use-After-FreeRemote Code ExecutionCriticalCVE-2018-4932
Out-of-bounds readInformation DisclosureImportantCVE-2018-4933
Out-of-bounds readInformation DisclosureImportantCVE-2018-4934
Out-of-bounds writeRemote Code ExecutionCriticalCVE-2018-4935
Heap OverflowInformation DisclosureImportantCVE-2018-4936
Out-of-bounds writeRemote Code ExecutionCriticalCVE-2018-4937

Adobe acknowledged Google white hat hackers Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero for reporting the CVE-2018-4936, CVE-2018-4935, CVE-2018-4934, CVE-2018-4937 flaw.

Adobe April Security Bulletin Tuesday

The CVE-2018-4933 vulnerability was reported by willJ of Tencent PC Manager, while the CVE-2018-4932 flaw was reported by Lin Wang of Beihang University.

The good news is that according to Adobe, there is no evidence of malicious exploitation in the wild.

Adobe also addressed three moderate and important cross-site scripting (XSS) flaws in the Experience Manager.

Adobe also fixed a critical memory corruption flaw (CVE-2018-4928) in Adobe InDesign CC that was reported by Honggang Ren of Fortinet’s FortiGuard Labs. Ren discovered a memory corruption flaw that could be exploited for arbitrary code execution.

Adobe also fixed an out-of-bounds read vulnerability and a stack overflow issue in Adobe Digital Editions and five flaws in ColdFusion.

The last issue covered by the company is a same-origin method execution bug in the Adobe PhoneGap Push plugin.



Pierluigi Paganini

(Security Affairs – Adobe April Security Bulletin Tuesday, hacking)

The post Adobe April Security Bulletin Tuesday fixed 4 critical flaws in Flash appeared first on Security Affairs.



Leave a Reply