Adobe has released security updates to fix major vulnerabilities in its Adobe Flash, Adobe ColdFusion, and Adobe Campaign software products. The update for Flashpatches a critical use-after-free vulnerability (CVE-2019-7845) that can lead to arbitrary code execution (ACE) attack. The ColdFusion updates also address three critical ACE vulnerabilities (CVE-2019-7838, CVE-2019-7839, and CVE-2019-7840) in the platform. On the other hand, seven vulnerabilities that existed in Adobe Campaign, including one rated critical (CVE-2019-7850), was also remediated with new updates.
For this month, Intel has published various advisories that address security vulnerabilities found in multiple firmware and software products. Out of the 25 vulnerabilities addressed, nine were rated as high severity. The high-impact flaws were found in Intel NUC, Intel RAID Web Console 3 (RWC3), Intel Accelerated Storage Manager and in Intel Rapid Storage Technology Enterprise (RSTe). The flaws could lead to an escalation of privilege(EoP), denial of service (DoS) or result in information disclosure (ID).
Other products covered in the advisories include vulnerabilities in Intel® Turbo Boost Max Technology 3.0 driver, Open Cloud Integrity Technology (Open CIT), OpenAttestation, Intel® Omni-Path Fabric Manager GUI, ITE Tech* Consumer Infrared Driver for Windows 10, INF Update Utility, Intel® PROSet/Wireless WiFi Software and Intel® SGX driver for Linux. A microprocessor related-flaw was also addressed.
Intel has planned to release software updates for the affected products, except for the Turbo Boost Max Technology 3.0 driver, which it has decided to issue a Discontinuation Notice to users.
Microsoft has rolled out monthly updates which fix 88 security vulnerabilities. Among them, 21 flaws had a rating of ‘Critical’. Vulnerabilities mostly included remote code execution (RCE), ID and cross-site scripting (XSS) flaws that affected various products. The affected products listed in the updates are:
- Adobe Flash Player
- Microsoft Windows
- Internet Explorer
- Microsoft Edge
- Microsoft Office and Microsoft Office Services and Web Apps
- Skype for Business and Microsoft Lync
- Microsoft Exchange Server
In the updates, the tech giant has also patched four (CVE-2019-1069, CVE-2019-1053, CVE-2019-1064, CVE-2019-0973) out of five zero-day vulnerabilities uncovered last month.
SAP has published 11 security notes in this month along with three follow-up updates to previous notes. The security notes address DoS, XSS, ID, clickjacking and missing authorization check vulnerabilities found in many of its products. Products impacted from the flaws are SAP NetWeaver Process Integration, SAP Work Manager, SAP Inventory Manager, SAP R/3 Enterprise Application, SAP HANA Extended Application Services and SAP NetWeaver AS ABAP Platform.
VMware fixes two major vulnerabilities which impacted its VMware Tools and Workstation products. While the update for VMware Tools resolves an out-of-bounds read (CVE-2019-5522) vulnerability in a software driver, the update for Workstation is for a use-after-free (UAF) vulnerability (CVE-2019-5525) present in the backend. The UAF has a CVSS score of 8.5 and the out-of-bounds read flaw scores 7.1.
Ubuntu has released software updates for the recent vulnerabilities discovered in Vim and Neovim applications. Both the applications could be exploited with RCE attacks due to file handling issues in these software. Apart from this, Ubuntu has also announced updates for applications such as DBus, GLib, libsndfile, and elfutils, which housed DoS and RCE vulnerabilities.