Ron  Cartwright

Ron Cartwright

1602990000

Critical Flash Player Flaw Opens Adobe Users to RCE

Adobe is warning of a critical vulnerability in its Flash Player application for users on Windows, macOS, Linux and ChromeOS operating systems.

The vulnerability is the only flaw released this month as part of Adobe’s regularly scheduled patches (markedly less than the 18 flaws addressed during its September regularly scheduled fixes). However, it’s a critical bug (CVE-2020-9746), and if successfully exploited could lead to an exploitable crash, potentially resulting in arbitrary code execution in the context of the current user, according to Adobe.

“As is typically the case for Flash Player vulnerabilities, web-based exploitation is the primary vector of exploitation but not the only one,” according to Nick Colyer, senior product marketing manager with Automox, in an email. “These vulnerabilities can also be exploited through an embedded ActiveX control [a feature in Remote Desktop Protocol] in a Microsoft Office document or any application that uses the Internet Explorer rendering engine.”

The issue stems from a NULL pointer-dereference error. This type of issue occurs when a program attempts to read or write to memory with a NULL pointer. Running a program that contains a NULL pointer dereference generates an immediate segmentation fault error.

Affected are versions 32.0.0.433 and earlier of Adobe Flash Desktop Runtime (for Windows, macOS and Linux); Adobe Flash Player for Google Chrome (Windows, macOS, Linux and Chrome OS) and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (Windows 10 and 8.1).

A patch is available in version 32.0.0.445 across all affected platforms (see below). Adobe ranks the patch as a “priority 2,” meaning that it “resolves vulnerabilities in a product that has historically been at elevated risk” – however, there are currently no known exploits.

#vulnerabilities #web security #adobe #adobe flash desktop runtime #cve-2020-9746 #linux #macos #null pointer dereference #patch #patch tuesday #vulnerability #windows

What is GEEK

Buddha Community

Critical Flash Player Flaw Opens Adobe Users to RCE

Adobe Warns of Critical Flaws in Flash Player, Framemaker

Adobe released patches for four critical flaws in Flash Player and in its Framemaker document processor as part of its regularly scheduled updates. The bugs, if exploited, could enable arbitrary code-execution.

In Tuesday’s June Adobe security updates, critical flaws tied to three CVEs were patched in Adobe Framemaker, which is Adobe’s application designed for writing and editing large or complex documents.

The flaws include two critical out-of-bounds write flaws (CVE-2020-9634, CVE-2020-9635), which stem from write operations that then produce undefined or unexpected results. Francis Provencher working with Trend Micro’s Zero Day Initiative (ZDI) was credited with finding these arbitrary code-execution flaws.

#vulnerabilities #adobe #adobe flash player #adobe frame maker #arbitrary code execution #critical adobe flaw #critical flaw #june 2020 #patch tuesday #remote code execution

Loma  Baumbach

Loma Baumbach

1599707640

Critical Adobe Flaws Allow Attackers to Run JavaScript in Browsers

Adobe has released fixes addressing five critical flaws in its popular Experience Manager content-management solution for building websites, mobile apps and forms. The cross-site scripting (XSS) flaws could allow attackers to execute JavaScript in targets’ browsers.

Including Adobe Experience Manager, Adobe fixed 18 flaws as part of its regularly scheduled September updates. It also addressed flaws in Adobe Framemaker, its document-processor designed for writing and editing large or complex documents; and InDesign, its desktop publishing and typesetting software application.

“The impact of any exploitation of these vulnerabilities, no matter their criticality, could open any organization up to the release of private information, easy lateral movement through a network, or the hijacking of critical information all due to the heavy use of these tools in marketing and its unfettered access to critical information,” said Richard Melick, senior technical product manager at Automox, in an email. “It is important to patch these vulnerabilities as soon as possible.”

Threatpost Webinar Promo Bug Bounty

Click to Register

Adobe patched 11 bugs overall in its Experience Manager; five of those are rated critical severity, and the rest are “important” severity. The critical flaws are all XSS glitches (CVE-2020-9732, CVE-2020-9742, CVE-2020-9741, CVE-2020-9740 and CVE-2020-9734).

“Successful exploitation of these vulnerabilities could result in arbitrary JavaScript execution in the browser,” according to Adobe.

The five important-severity flaws include an issue allowing for execution with unnecessary privileges, leading to sensitive information disclosure (CVE-2020-9733), four cross site scripting flaws (CVE-2020-9735, CVE-2020-9736, CVE-2020-9737, CVE-2020-9738) and an HTML injection glitch (CVE-2020-9743) allowing arbitrary HTML injection in the browser.

Below is a list of affected product solutions; fixes are available in version 6.5.6.0 and version 6.4.8.2 (as well as AEM Forms Service Pack 6 for AEM forms add-on users).

adobe experience manager

The update for Adobe Experience Manager received a “priority 2,” meaning it resolves flaws in a product that has “historically been at elevated risk” – but for which there is no known exploits.

“Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days),” according to Adobe.

#vulnerabilities #web security #adobe #adobe bug #adobe experience manager #adobe framemaker #adobe indesign #adobe patch #browser attack #critical flaw #cross site scripting #html injection flaw #information disclosure #javascript #patch tuesday #xss

Ron  Cartwright

Ron Cartwright

1602990000

Critical Flash Player Flaw Opens Adobe Users to RCE

Adobe is warning of a critical vulnerability in its Flash Player application for users on Windows, macOS, Linux and ChromeOS operating systems.

The vulnerability is the only flaw released this month as part of Adobe’s regularly scheduled patches (markedly less than the 18 flaws addressed during its September regularly scheduled fixes). However, it’s a critical bug (CVE-2020-9746), and if successfully exploited could lead to an exploitable crash, potentially resulting in arbitrary code execution in the context of the current user, according to Adobe.

“As is typically the case for Flash Player vulnerabilities, web-based exploitation is the primary vector of exploitation but not the only one,” according to Nick Colyer, senior product marketing manager with Automox, in an email. “These vulnerabilities can also be exploited through an embedded ActiveX control [a feature in Remote Desktop Protocol] in a Microsoft Office document or any application that uses the Internet Explorer rendering engine.”

The issue stems from a NULL pointer-dereference error. This type of issue occurs when a program attempts to read or write to memory with a NULL pointer. Running a program that contains a NULL pointer dereference generates an immediate segmentation fault error.

Affected are versions 32.0.0.433 and earlier of Adobe Flash Desktop Runtime (for Windows, macOS and Linux); Adobe Flash Player for Google Chrome (Windows, macOS, Linux and Chrome OS) and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (Windows 10 and 8.1).

A patch is available in version 32.0.0.445 across all affected platforms (see below). Adobe ranks the patch as a “priority 2,” meaning that it “resolves vulnerabilities in a product that has historically been at elevated risk” – however, there are currently no known exploits.

#vulnerabilities #web security #adobe #adobe flash desktop runtime #cve-2020-9746 #linux #macos #null pointer dereference #patch #patch tuesday #vulnerability #windows

Houston  Sipes

Houston Sipes

1596868080

Critical Adobe Photoshop Flaws Patched in Emergency Update

Adobe issued out-of-band patches for critical flaws tied to 12 CVEs in Photoshop and other applications.

Adobe released a slew of patches for critical vulnerabilities Tuesday that were part of an out-of-band security update. Several of the critical flaws are tied to Adobe’s popular Photoshop photo-editing software and allow adversaries to execute arbitrary code on targeted Windows devices.

Overall, Adobe issued patches for flaws tied to 12 CVEs across Bridge, Prelude and Photoshop applications. The unscheduled updates come a week after Adobe issued its official July 2020 security updates, including critical code-execution bugs.

Adobe said it was not aware of any exploits in the wild for any of the bugs patched in the update. The company did not offer technical details regarding the Photoshop CVEs.

Threatpost reached out to Mat Powell, researcher with Trend Micro’s Zero Day Initiative, who is credited for finding each of the critical flaws. Powell has not responded to that request. Threatpost hopes to update this report with additional commentary from the researcher.

All of the reported critical flaws stem from out-of-bounds read and write vulnerabilities, which occur when the software reads data past the end of – or before the beginning of – the intended buffer, potentially resulting in corruption of sensitive information, a crash, or code execution among other things.

Adobe Photoshop features two out-of-bounds read flaws (CVE-2020-9683, CVE-2020-9686) and three out-of-bound write (CVE-2020-9684, CVE-2020-9685, CVE-2020-9687) issues. All of these could “lead to arbitrary code execution in the context of the current user,” according to Adobe.

The Photoshop vulnerabilities affect Photoshop CC 2019 versions 20.0.9 and earlier and Photoshop 2020 21.2 and earlier (for Windows). Users can update to versions 20.0.10 and 21.2.1, respectively.

Adobe has previously addressed various serious flaws in its Photoshop photo editing app, including dozens of arbitrary code-execution issues in March – which addressed 22 CVEs in Photoshop overall, 16 of which were critical.

Other Flaws

Also fixed were critical flaws tied to three CVEs in Bridge, Adobe’s asset management app. These include an out-of-bounds read flaw (CVE-2020-9675) and out-of-bounds write issues (CVE-2020-9674, CVE-2020-9676) that could enable code execution. Adobe Bridge versions 10.0.3 and earlier are affected; users can update to version 10.1.1 for a fix.

Adobe also issued patches for critical vulnerabilities in its Prelude app, which works with its Premiere Pro video editing app to allow users to tag media with metadata for searching, post-production workflows, and footage lifecycle management.

Prelude contains out-of-bounds read (CVE-2020-9677, CVE-2020-9679) and out-of-bounds write (CVE-2020-9678, CVE-2020-9680) glitches that can allow code execution. Adobe Preluade versions 9.0 and earlier for Windows are affected; users can update to version 9.0.1.

Powell was also credited with reporting the additional critical flaws.

Adobe also issued patches for an “important” severity flaw in Adobe Reader Mobile for Android, which allows users to view and edit PDFs from their smartphones. The application has a directory traversal issue (CVE-2020-9663) enabling information disclosure in the context of the current user. Adobe Reader Mobile for Android, versions 20.0.1 and earlier are impacted. Users can update to version 20.3 (for all Android versions).

#vulnerabilities #web security #adobe #adobe bridge #adobe fix #adobe prelude #critical flaw #out of band patch #patch #photoshop #security update #unscheduled update

Adobe XD plugin for Flutter with CodePen Tutorial

Recently Adobe XD releases a new version of the plugin that you can use to export designs directly into flutter widgets or screens. Yes, you read it right, now you can make and export your favorite design in Adobe XD and export all the design in the widget form or as a full-screen design, this can save you a lot of time required in designing.

What we will do?
I will make a simple design of a dialogue box with a card design with text over it as shown below. After you complete this exercise you can experiment with the UI. You can make your own components or import UI kits available with the Adobe XD.

#developers #flutter #adobe xd design export to flutter #adobe xd flutter code #adobe xd flutter code generator - plugin #adobe xd flutter plugin #adobe xd flutter plugin tutorial #adobe xd plugins #adobe xd to flutter #adobe xd tutorial #codepen for flutter.