Adobe Security Advisory for February 2019 Security Updates

Adobe Security Advisory for February 2019 Security Updates

February 19, 2019 | Mina Hao

Overview

On February 12, local time, Adobe officially released security bulletins and advisories to announce security updates to patch multiple vulnerabilities in such products as Adobe Flash Player, Adobe Creative Cloud Desktop Application, ColdFusion, and Adobe Acrobat and Reader.

For details about the security bulletins and advisories, visit the following link:

https://helpx.adobe.com/security.html

Vulnerabilities

Adobe Flash Player

Adobe has released a security update for Adobe Flash Player on Windows, macOS, Linux, and Chrome OS platforms.  Successful exploitation of these vulnerabilities could lead to the disclosure of information of the current user.

Vulnerability details are as follows:

 

 Vulnerability Impact Vulnerability Type Severity Level CVE ID
Information disclosure Out-of-bounds read Important CVE-2019-7090

 

  • Affected versions: V32.0.0.114 and earlier
  • Unaffected versions
Product Version Platform
Adobe Flash Player Desktop Runtime 32.0.0.142 Windows and macOS
Adobe Flash Player for Google Chrome 32.0.0.142 Windows, macOS, Linux, and Chrome OS
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 32.0.0.144 Windows 10 and 8.1
Adobe Flash Player Desktop Runtime 32.0.0.142 Linux

 

Reference link:

https://helpx.adobe.com/security/products/flash-player/apsb19-06.html

Adobe Creative Cloud Desktop Application

Adobe has released a security update available for the Creative Cloud Desktop Application on Windows.  This update addresses an insecure library loading vulnerability in this installer which could lead to privilege escalation.

Vulnerability details are as follows:

Vulnerability Impact Vulnerability Type Severity Level CVE ID
Privilege escalation  Insecure library loading (DLL hijacking) Important CVE-2019-7093

 

  • Affected versions: V4.7.0.400 and earlier
  • Unaffected version: V4.8.0.410

Reference link:

https://helpx.adobe.com/security/products/creative-cloud/apsb19-11.html

ColdFusion

Adobe has released security updates for ColdFusion 2018, 2016, and 11 to patch a vulnerability that could lead to arbitrary code execution.

 

Vulnerability details are as follows:

Vulnerability Impact Vulnerability Type Severity Level CVE ID
Arbitrary code execution Untrusted data deserialization Critical CVE-2019-7091
Information disclosure Cross-site scripting Important CVE-2019-7092
  • Affected versions:
Product Version Platform
ColdFusion 2018 <= Update 1 All
ColdFusion 2016 <= Update 7 All
ColdFusion 11 <= Update 15 All
  • Unaffected versions:
Product Version Platform
ColdFusion 2018 Update 2 All
ColdFusion 2016 Update 8 All
ColdFusion 11 Update 16 All

 

Reference link:

https://helpx.adobe.com/security/products/coldfusion/apsb19-10.html

Adobe Acrobat and Reader

Adobe has released security updates for Adobe Acrobat and Reader on Windows and macOS.

Vulnerability details are as follows:

Vulnerability Impact Vulnerability Type Severity Level CVE ID
Arbitrary code execution Buffer overflow Critical CVE-2019-7020

CVE-2019-7085

Information disclosure Sensitive data disclosure Critical CVE-2019-7089
Arbitrary code execution Double free Critical CVE-2019-7080
Information disclosure Integer overflow Critical CVE-2019-7030
Information disclosure  

 

 

 

 

 

 

 

 

 

 

 

 

Out-of-bounds read

Important CVE-2019-7021

CVE-2019-7022

CVE-2019-7023

CVE-2019-7024

CVE-2019-7028

CVE-2019-7032

CVE-2019-7033

CVE-2019-7034

CVE-2019-7035

CVE-2019-7036

CVE-2019-7038

CVE-2019-7045

CVE-2019-7047

CVE-2019-7049

CVE-2019-7053

CVE-2019-7055

CVE-2019-7056

CVE-2019-7057

CVE-2019-7058

CVE-2019-7059

CVE-2019-7063

CVE-2019-7064

CVE-2019-7065

CVE-2019-7067

CVE-2019-7071

CVE-2019-7073

CVE-2019-7074

CVE-2019-7081

Privilege escalation Security bypass Critical CVE-2018-19725

CVE-2019-7041

Arbitrary code execution  

 

 

Out-of-bounds write

Critical CVE-2019-7019

CVE-2019-7027

CVE-2019-7037

CVE-2019-7039

CVE-2019-7052

CVE-2019-7060

CVE-2019-7079

Arbitrary code execution  

Type confusion

Critical CVE-2019-7069

CVE-2019-7086

CVE-2019-7087

Arbitrary code execution  

 

Untrusted pointer dereference

Critical CVE-2019-7042

CVE-2019-7046

CVE-2019-7051

CVE-2019-7054

CVE-2019-7066

CVE-2019-7076

Arbitrary code execution  

 

 

 

 

 

 

 

 

Use after free

Critical CVE-2019-7018

CVE-2019-7025

CVE-2019-7026

CVE-2019-7029

CVE-2019-7031

CVE-2019-7040

CVE-2019-7043

CVE-2019-7044

CVE-2019-7048

CVE-2019-7050

CVE-2019-7062

CVE-2019-7068

CVE-2019-7070

CVE-2019-7072

CVE-2019-7075

CVE-2019-7077

CVE-2019-7078

CVE-2019-7082

CVE-2019-7083

CVE-2019-7084

  • Affected versions:
Product Version Platform
Acrobat DC <= 2019.010.20069 Windows and macOS
Acrobat Reader DC <= 2019.010.20069 Windows and macOS
Acrobat 2017 <= 2017.011.30113 Windows and macOS
Acrobat Reader 2017 <= 2017.011.30113 Windows and macOS
  • Unaffected versions:
Product Version Platform
Acrobat DC 2019.010.20091 Windows and macOS
Acrobat Reader DC 2019.010.20091 Windows and macOS
Acrobat 2017 2017.011.30120 Windows and macOS
Acrobat Reader 2017 2017.011.30120 Windows and macOS

Reference link:

https://helpx.adobe.com/security/products/acrobat/apsb19-07.html

 Solution

Adobe has officially released security updates to fix the preceding vulnerabilities. Users are advised to update their installation to the latest versions as soon as possible.

For vulnerability details and operations, please visit official links of each vulnerable product.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

https://www.nsfocusglobal.com.

NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.