Adobe Patches Six Flash Player Security Bugs, Three Critical

  • April 10, 2018
  • 12:15 PM
  • 0

Adobe logo

Adobe has published its monthly security bulletin, and for the month of April 2018, the company has addressed security bugs in five products —Adobe Flash Player, Adobe Experience Manager (enterprise CMS), Adobe InDesign (publishing software), Adobe Digital Editions (e-book reader), and Adobe PhoneGap Push Plugin (mobile development library).

As usual, the Flash Player fixes reign supreme, as this remains Adobe's most popular product, even if Google has reported that Flash usage has declined from 80% in 2014 to under 8% in 2018.

In total, Adobe fixed 14 security flaws, broken down as follows: 6 in Flash Player, 3 in Experience Manager, 2 in InDesign, 2 in Digital Editions, and 1 in the PhoneGap Push Plugin.

Adobe Security Update Summary:

APSB18-08 Security update available for Adobe Flash Player

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 29.0.0.113 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user. The latest Adobe Flash Player version number is now: 29.0.0.140.

Vulnerability Category Vulnerability Impact Severity CVE Number
Use-After-Free Remote Code Execution Critical CVE-2018-4932
Out-of-bounds read  Information Disclosure  Important  CVE-2018-4933
Out-of-bounds read  Information Disclosure  Important  CVE-2018-4934
Out-of-bounds write  Remote Code Execution  Critical  CVE-2018-4935
Heap Overflow  Information Disclosure  Important  CVE-2018-4936
Out-of-bounds write Remote Code Execution  Critical  CVE-2018-4937

APSB18-10 Security update available for Adobe Experience Manager

Adobe has released security updates for Adobe Experience Manager. These updates resolve a stored cross-site scripting vulnerability (CVE-2018-4929) rated moderate, and two cross-site scripting vulnerabilities (CVE-2018-4930 and CVE-2018-4931) rated important. The latest Adobe Experience Manager version number is now: 6.3.

Vulnerability Category Vulnerability Impact Severity CVE Numbers Affected Version Download Package
Stored cross-site scripting Sensitive Information disclosure Moderate CVE-2018-4929 AEM 6.2 and earlier

HOTFIX 19293 for AEM 6.0.0

Cumulative Fix Pack for 6.1 SP2 – AEM-6.1-SP2-CFP15

Cumulative Fix Pack for 6.2 SP1 – AEM-6.2-SP1-CFP12

 

 

Cross-site scripting Sensitive Information Disclosure Important CVE-2018-4930 AEM 6.3 and earlier

Cumulative Fix Pack for 6.1 SP2 – AEM-6.1-SP2-CFP15

Cumulative Fix Pack for 6.2 SP1 – AEM-6.2-SP1-CFP12

Service Pack 6.3.2.0 for AEM 6.3

Stored cross-site scripting Sensitive Information Disclosure

Important

CVE-2018-4931 AEM 6.1 and earlier

HOTFIX 19385 for AEM 6.0.0

 

 

HOTFIX 9381 for AEM 6.1.0

 

 

APSB18-11 Security update available for Adobe InDesign

Adobe has released a security update for Adobe InDesign CC. This update resolves a critical memory corruption vulnerability (CVE-2018-4928) caused by unsafe parsing of a specially crafted .inx file. This update also resolves an untrusted search path vulnerability (CVE-2018-4927) in the InDesign installer rated Important. The latest Adobe InDesign version number is now: 13.1.

Vulnerability Category Vulnerability Impact Severity CVE Number
Untrusted Search Path Local Privilege Escalation Important CVE-2018-4927
Memory corruption Arbitrary Code Execution Critical CVE-2018-4928

APSB18-13 Security update available for Adobe Digital Editions

Adobe has released a security update for Adobe Digital Editions. This update resolves an out-of-bounds read vulnerability (CVE-2018-4925) rated Important, and a stack overflow vulnerability (CVE-2018-4926) caused by unsafe processing of specially crafted epub files. The latest Adobe Digital Editions version number is now: 4.5.8.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Out-of-bounds read Information Disclosure Important CVE-2018-4925
Stack Overflow Information Disclosure Important CVE-2018-4926

APSB18-15 Security update available for the Adobe PhoneGap Push Plugin

Adobe has released an update for the Adobe PhoneGap Push plugin. This update resolves a Same-Origin Method Execution (SOME) vulnerability (CVE-2018-4943) that exists in PhoneGap apps built with the affected version of the Push plugin. This vulnerability could be exploited to trick users of PhoneGap apps into executing click events and other unintended user interactions. The latest Adobe PhoneGap Push Plugin version number is now: 2.1.0.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Same-Origin Method Execution JavaScript code execution in the context of the PhoneGap app Important CVE-2018-4943

Related Articles:

Adobe Flash Player Update Released for Remote Code Execution Vulnerability

Adobe Releases Security Update for Acrobat Vulnerability with Public PoC

Updates Released For Critical Vulnerabilities in Adobe Acrobat and Reader

Adobe Fixes Zero-Day Flash Player Vulnerability Used in APT Attack on Russia

Microsoft October 2018 Patch Tuesday Fixes 12 Critical Vulnerabilities

Catalin Cimpanu
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.
Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Newsletter Sign Up

To receive periodic updates and news from BleepingComputer, please use the form below.

Login

Remember Me
Sign in anonymously

Reporter

Help us understand the problem. What is going on with this comment?

Learn more about what is not allowed to be posted.

SUBMIT