Adobe Releases Critical Security Patches for 9 Products
Adobe Systems has released security patches for nine of its products to fix 86 vulnerabilities, the majority of which are rated as critical and important.
In addition to Flash Player, Reader and Acrobat, which are the usual recipients of Adobe’s security patches, the company has updated Photoshop CC, Adobe Connect, Adobe DNG Converter, InDesign, Digital Editions, Shockwave Player and Experience Manager.
Adobe Reader and Acrobat had the largest number of patched vulnerabilities—62, of which 58 are rated as critical and could result in remote code execution. The remaining four flaws are rated as important and can enable drive-by downloads, information disclosure and excessive resource consumption.
Users are advised to upgrade to the new versions of Acrobat and Reader DC (2015.006.30392 on Classic Track or 2018.009.20044 on Continuous Track), Acrobat and Reader XI (11.0.23) and Acrobat and Reader 2017 (2017.011.30068).
Among the security patches were for five critical remote code execution flaws in Adobe Flash Player for Windows, Mac and Linux. Users should manually upgrade the runtime to version 27.0.0.187.
The Flash Player plug-ins bundled with Google Chrome, Microsoft Edge and Internet Explorer 11 will be automatically patched through those browsers’ respective update mechanisms.
Adobe Shockwave Player, which is present on 450 million computers according to Adobe, received a patch for a critical memory corruption vulnerability that can lead to remote code execution. Users are advised to update to Shockwave Player version 12.3.1.201.
Shockwave Player is used for displaying interactive online content created with Adobe’s Director software and adds a browser plug-in. This makes it an easy target for hackers because it can be attacked remotely through compromised websites or malicious advertisements.
Adobe Photoshop CC was updated to versions 18.1.2 (2017.1.2) and 19.0 (2018.0) to fix two remote code execution flaws, while Adobe DNG Converter for Windows was updated to version 10.0 to patch a critical memory corruption vulnerability.
The newly released version 9.7 of Adobe’s Connect web conferencing software includes fixes for a critical server-side request forgery (SSRF) issue that could be used to bypass network access controls, as well as for three cross-site scripting vulnerabilities and one clickjacking flaw that could result in information disclosure.
The Adobe InDesign publishing software for Windows and Mac was updated to version 13.0 to fix a remote code execution bug. The Adobe Digital Editions e-book reader was updated to version 4.5.7 to patch one critical information disclosure flaw and five important memory address disclosure issues.
Hotfixes were also released for versions 6.3, 6.2, 6.1 and 6.0 of Adobe Experience Manager, an enterprise content management system. The fixes address two cross-site scripting flaws and an issue that can disclose sensitive tokens in HTTP GET requests.
Cyberespionage Malware Reaver Hides as Windows Control Panel Applet
Security researchers from Palo Alto Networks have identified a new malware family that’s used in cyberespionage attacks and hides as a control panel file (CPL).
“The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used,” the researchers said in a blog post.
The malware is linked to activity by a group that has been operating since at least 2013 and in the past has targeted groups that are viewed as dangerous by the Chinese government: Uyghurs, Tibetans, Falun Gong practitioners, supporters of Taiwanese independence and supporters of Chinese democracy. The group is also known for using a malware program known as SunOrcal.
The use of malware that masquerades as Control Panel applets is not new and the technique has been used in the past by various cybercriminal groups, including Carbanak, a gang specialized in breaking into financial institutions. But overall, the use of malicious CPL files is quite rare.
Reaver “is also unique in the fact that its final payload is in a CPL file, a technique which Palo Alto Networks has seen with only 0.006% of all malware samples we have analyzed,” the researchers said.
