Adobe fixed eight vulnerabilities across three products, including two critical memory corruption bugs and a critical XML parsing flaw, with its regularly scheduled update on Tuesday.RoboHelp for Windows, ColdFusion, and as usual, Flash Player, all received updates as part of the company’s Patch Tuesday security bulletins.
Versions 26.0.0.151 and earlier of Flash Player are affected by the memory corruption vulnerabilities (CVE-2017-11281, CVE-2017-11282). Adobe warned the bugs, discovered by Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero, could lead to code execution if exploited.
The update also resolve four bugs in ColdFusion, including the aforementioned XML parsing vulnerability, a cross-site scripting vulnerability Adobe classifies as important and a mitigation for an unsafe Java deserialization that could result in remote code execution.
While both the XML and XSS bugs could lead to information disclosure, the XML bug – found by Daniel Lawson of Depth Security – is more pressing, according to Adobe’s advisory. The updates bring ColdFusion’s 2016 release to Update 5 and ColdFusion 11 to Update 13.
Tuesday’s update also features a security update for RoboHelp for Windows, a technical documentation-editing tool the company has been developing since 2007. Adobe says it’s unaware of any exploits but warns an input validation vulnerability in the tool could be used in a cross-site scripting attack, and a moderate unvalidated URL redirect vulnerability could be exploited via phishing campaigns. Versions RH2017.0.1 and RH12.0.4.460 RoboHelp are affected until updated, according to Adobe.
The relatively scant update comes a month after the company fixed 78 vulnerabilities in Flash, Acrobat, Experience Manager, and Digital Editions in August. September’s update is more in line with July or May’s minuscule updates, when the company fixed six and eight vulnerabilities, respectively.