Adobe and Microsoft have issued their monthly security updates to address critical security flaws in their respective products.
This month, the latest update for Adobe Flash Player deals with two serious vulnerabilities and impacts Windows, macOS, Linux, and Chrome OS versions of the software.
Both the vulnerabilities in Flash Player lead to random code implementation in the context of the current user, letting attackers take absolute control over beleaguered systems.
- Same-origin method execution (CVE-2019-8069)
- Use-after-free (CVE-2019-8070)
Both the weaknesses were reported to Adobe by security researchers working with the Trend Micro Zero Day Initiative platform.
Adobe has also issued a security update for Adobe Application Manager (AAM) for Windows to address an Insecure Library Loading (DLL hijacking) vulnerability in the installer.
On the other hand, on Tuesday, software giant Microsoft has fixed 80 vulnerabilities, including two Windows flaws that have been misused in attacks.
CVE-2019-1214 and CVE-2019-1215 are the zero-day weaknesses. The first impacts the Windows Common Log File System (CLFS), allowing a genuine attacker with unvarying user rights to intensify permissions to administrator. A researcher from the Qihoo 360 Vulcan Team spotted the security flaw, but there have been no details about the attacks misusing the susceptibility.
It’s worth observing that while all supported versions of Windows appear to be impacted by this flaw, the company says misuse is improbable against the latest versions of the operating system.
Microsoft has not ascribed anyone for the second zero-day it repaired on Tuesday. The company has described CVE-2019-1215 as a susceptibility in Winsock (ws2ifsl.sys) that lets a locally genuine attacker perform code with elevated rights.
In a blog post, experts at the Zero Day Initiative (ZDI) explained: “Interestingly, [ws2ifsl.sys] has been targeted by malware in the past, with some references going back as far as 2007. Not surprising, since malware often targets low-level Windows services.”