Adobe released patches for three vulnerabilities in Flash Player

Patches for Adobe Flash Player and Adobe Connect are already available

This month Adobe released crucial security updates for two popular products – Adobe Flash Player^[1] and Adobe Connect.^[2] Two security bulletins are available for Windows, Macintosh, Linux, and Chrome OS. These patches fix major security flaws that might be exploited by cyber criminals.

The patch includes six updates that are marked as moderate, important and critical. Vulnerabilities in Adobe Connect fix two input validation vulnerabilities (CVE-2017-3102 and CVE-2017-3103) and prevents from clickjacking attacks (CVE-2017-3101). Vulnerabilities were found in 9.6.1 and earlier versions of the program.

However, the most important patch belongs to Adobe Flash Player. One of three flaws founded in the program is marked as critical. The company claims that exploitation of this vulnerability may give cyber criminals remote access to the computer.

Critical security flaw has been found in Adobe Flash Player

Two of three security issues in Adobe Flash player were discovered by a researcher known as “bo13oy” who works with Trend Micro's Zero Day Initiative (CVE-2017-3100) and Jihui Lu of Tencent KeenLab (CVE-2017-3099). ^[3]

The company announced that free products were affected:

• Adobe Flash Player Desktop Runtime (26.0.0.131 and earlier);
• Adobe Flash Player for Google Chrome (26.0.0.131 and earlier);
• Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (26.0.0.120 and earlier).

The important vulnerabilities have issues with security bypass and memory corruption that may lead to information disclosure (CVE-2017-3080 and CVE-2017-3100). However, the third vulnerability is classified as critical (CVE-2017-3099) because it helps attackers to get remote code execution.

The company provides automatic updates to Adobe Flash Player that is installed with Google Chrome, Microsoft Edge, and Internet Explorer 11. However, Adobe Flash Player Desktop Runtime users are suggested to update the program to Adobe Flash Player 26.0.0.137 from Adobe Flash Player Download Center or the program directly.

Windows NTLM Security Protocol needs to be patched as well

Updates for Adobe products are the part of July’s Patch Tuesday.^[4] This month’s security bulletins also have other critical updates for the operating system, programs, and other components.

A serious issue has been detected in Microsoft NT LAN Manager (NTLM). ^[5]It’s an old security protocol that assures user’s authentication and confidentiality on networks. However, two zero-day vulnerabilities were discovered in this service.

One of the critical vulnerabilities is associated with unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay. By exploiting this flaw, the attackers might get SYSTEM privileges and full control over the targeted network.

Another flaw involves Remote Desktop Protocol Restricted-Admin mode. Exploitation of this vulnerability allows remote access to the attacked computer without knowing or guessing the password.

Other July’s patches include updates for Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office and Microsoft Office Services and Web Apps and Adobe Flash Player. We highly recommend checking whether all necessary patches are installed on your computer.