Adobe April Security Bulletin has addressed a total of 19 vulnerabilities in its products, including Flash Player, Experience Manager, InDesign CC, Digital Editions, ColdFusion and the PhoneGap Push plugin.
The company has released the Flash Player version 220.127.116.11 that fixed four critical flaws and two issues rated as important.
The flaws addressed with the Adobe April Security Bulletin Tuesday include a use-after-free, out-of-bounds read, out-of-bounds write and heap overflow bugs that could be exploited by remote attackers to execute arbitrary code on the target system and that could lead information disclosure.
“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 18.104.22.168 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.
|Vulnerability Category||Vulnerability Impact||Severity||CVE Number|
|Use-After-Free||Remote Code Execution||Critical||CVE-2018-4932|
|Out-of-bounds read||Information Disclosure||Important||CVE-2018-4933|
|Out-of-bounds read||Information Disclosure||Important||CVE-2018-4934|
|Out-of-bounds write||Remote Code Execution||Critical||CVE-2018-4935|
|Heap Overflow||Information Disclosure||Important||CVE-2018-4936|
|Out-of-bounds write||Remote Code Execution||Critical||CVE-2018-4937|
Adobe acknowledged Google white hat hackers Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero for reporting the CVE-2018-4936, CVE-2018-4935, CVE-2018-4934, CVE-2018-4937 flaw.
The CVE-2018-4933 vulnerability was reported by willJ of Tencent PC Manager, while the CVE-2018-4932 flaw was reported by Lin Wang of Beihang University.
The good news is that according to Adobe, there is no evidence of malicious exploitation in the wild.
Adobe also addressed three moderate and important cross-site scripting (XSS) flaws in the Experience Manager.
Adobe also fixed a critical memory corruption flaw (CVE-2018-4928) in Adobe InDesign CC that was reported by Honggang Ren of Fortinet’s FortiGuard Labs. Ren discovered a memory corruption flaw that could be exploited for arbitrary code execution.
The last issue covered by the company is a same-origin method execution bug in the Adobe PhoneGap Push plugin.
(Security Affairs – Adobe April Security Bulletin Tuesday, hacking)