Adobe has resolved Vulnerability-related.PatchVulnerability six critical updates in the company 's latest round of security fixes . On Tuesday , Adobe said in a security advisory that the update impacts Vulnerability-related.DiscoverVulnerability ColdFusion version 11 , as well as the 2016 and 2018 releases of the web application development platform . In total , six of the security flaws are deemed Vulnerability-related.DiscoverVulnerability critical . The first set of vulnerabilities -- CVE-2018-15965 , CVE-2018-15957 , CVE-2018-15958 , and CVE-2018-15959 -- relate to the deserialization of untrusted data . In addition , CVE-2018-15961 is a security flaw which permits unrestricted file uploads in the software , and the final critical bug , CVE-2018-15960 , is described as Vulnerability-related.DiscoverVulnerability `` use of a component with a known vulnerability '' which can cause arbitrary file overwrite . If exploited Vulnerability-related.DiscoverVulnerability , all of the above security flaws can lead to arbitrary code execution . Three other bugs in ColdFusion have also been resolved Vulnerability-related.PatchVulnerability . CVE-2018-15962 is a flaw within directory listings that can lead to information disclosure ; CVE-2018-15963 is a security bypass bug which could permit attackers to create arbitrary folders , and CVE-2018-15964 is another security flaw caused by the use of a component with a known vulnerability which may cause data leaks . Adobe also released Vulnerability-related.PatchVulnerability a fix for Adobe Flash Player on desktop Windows , macOS , and Linux machines , as well as Flash for Google Chrome on Windows , macOS , Linux , and Chrome OS , versions 30.0.0.154 and earlier . This security flaw , CVE-2018-15967 is listed Vulnerability-related.DiscoverVulnerability as an `` important '' privilege escalation bug which could lead to information disclosure . Originally , Microsoft listed Vulnerability-related.DiscoverVulnerability the same vulnerability as critical and one which enabled attackers to perform remote code execution attacks . However , Microsoft has now amended its advisory to reflect Adobe 's severity rating . Adobe is not aware of any reports suggesting Vulnerability-related.DiscoverVulnerability the vulnerabilities have been exploited Vulnerability-related.DiscoverVulnerability in the wild but recommends Vulnerability-related.PatchVulnerability that users accept the automatic updates as soon as possible . The tech giant thanked researchers including Matthias Kaiser of Code White GmbH , Gsrc from Venustech-Adlab , and Nick Bloor of Cognitous for reporting Vulnerability-related.DiscoverVulnerability the vulnerabilities . This month 's security fixes build Vulnerability-related.PatchVulnerability upon Adobe 's August patch update , in which 11 security flaws were resolved Vulnerability-related.PatchVulnerability , including critical vulnerabilities in Adobe Acrobat 2017 , Acrobat DC , and Acrobat Reader DC on Windows and macOS machines . In the same month , the tech giant also released Vulnerability-related.PatchVulnerability an out-of-schedule patch for Adobe Photoshop CC . The security update tackled Vulnerability-related.PatchVulnerability memory corruption bugs in the creative software which , if exploited Vulnerability-related.DiscoverVulnerability , could lead to code execution .

The Russian hacking group blamed for targeting U.S. and European elections has been breaking into Attack.Databreach email accounts , not only by tricking Attack.Phishing victims into giving up passwords , but by stealing Attack.Databreach access tokens too . It 's sneaky hack that 's particularly worrisome , because it can circumvent Google 's 2-step verification , according to security firm Trend Micro . The group , known as Fancy Bear or Pawn Storm , has been carrying out the attack Attack.Phishing with its favored tactic of sending out Attack.Phishing phishing emails , Trend Micro said in a report Tuesday . The attack Attack.Phishing works by sending out Attack.Phishing a fake email , pretending to be Attack.Phishing from Google , with the title “ Your account is in danger. ” An example of a phishing email that Fancy Bear has used Attack.Phishing . The email claims that Google detected several unexpected sign-in attempts into their account . It then suggests users install a security application called “ Google Defender. ” However , the application is actually a ruse . In reality , the hacking group is trying to dupe Attack.Phishing users into giving up a special access token for their Google account , Trend Micro said . Victims that fall for the scheme will be redirected to an actual Google page , which can authorize the hacking group 's app to view and manage their email . Users that click “ allow ” will be handing over what ’ s known as an OAuth token . Although the OAuth protocol does n't transfer over any password information , it 's designed to grant third-party applications access to internet accounts through the use of special tokens . In the case of Fancy Bear , the hacking group has leveraged the protocol to build Attack.Phishing fake applications that can fool Attack.Phishing victims into handing over account access , Trend Micro said . “ After abusing the screening process for OAuth approvals , ( the group ’ s ) rogue application operates Attack.Phishing like every other app accepted by the service provider , ” the security firm said . Even Google 's 2-step verification , which is designed to prevent unwarranted account access , ca n't stop the hack , according to Trend Micro . Google 's 2-step verification works by requiring not only a password , but also a special code sent to a user 's smartphone when logging in . Security experts say it 's an effective way to protect your account . However , the phishing scheme Attack.Phishing from Fancy Bear manages to sidestep this security measure , by tricking Attack.Phishing users into granting access through the fake Google security app . Google , however , said it takes many steps to protect users from such phishing attacks Attack.Phishing . `` In addition , Google detects and reviews potential OAuth abuse and takes down thousands of apps for violating our User Data Policy , such as impersonating Attack.Phishing a Google app , '' the company said in a statement . `` Note that a real Google app should be directly accessed from a Google site or installed from the Google Play or Apple App stores , '' it added . According to Trend Micro , victims were targeted with this phishing attack Attack.Phishing in 2015 , and 2016 . In addition to Google Defender , Fancy Bear has used other apps under names such as Google Email Protection and Google Scanner . They ’ ve also gone after Yahoo users with apps called Delivery Service and McAfee Email protection . The attack Attack.Phishing attempts to trick Attack.Phishing users into handing over access to their email through fake Google third-party applications . “ Internet users are urged to never accept OAuth token requests from an unknown party or a service they did not ask for , ” Trend Micro said . Although a password reset can sometimes revoke an OAuth token , it 's best to check what third-party applications are connected to your email account . This can be done by looking at an email account 's security settings , and revoking access where necessary . Fancy Bear is most notorious for its suspected role in hacking the Democratic National Committee last year . However , the group has also been found targeting everything from government ministries , media organizations , along with universities and think tanks , according to Trend Micro .