Articles

Adobe Patches 67 Vulnerabilities in Flash, Acrobat, and Reader

Adobe’s latest security update has swatted a total of 67 bugs, some of them critical, in Adobe Flash, Acrobat, and Reader.

On Tuesday, the software provider released a security advisory detailing a huge amount of vulnerabilities which have now been fixed in the latest patch round.

Adobe Flash Player, Photoshop CC, Connect, Acrobat and Reader, DNG Converter, InDesign, Digital Editions, Shockwave Player and Adobe Experience Manager are all included.

In total, Adobe has resolved five vulnerabilities in Flash player, a constant presence in security updates.

Impacting Windows, Mac, Linux and Chrome OS, the problems are all deemed critical and can all lead to remote code execution due to out-of-bounds read and use-after-free bugs.

However, the update to Adobe Acrobat and Reader is the largest, with 62 security flaws being resolved that impact Windows and Mac machines. The majority of the bugs, 58 in total, can lead to remote code execution due to type confusion issues, out-of-bounds read and write, buffer issues and use-after-free bugs.

A total of seven vulnerabilities have been resolved in Adobe Photoshop and Adobe Connect, including security flaws which can lead to remote code execution and information leaks.

In Shockwave, Adobe’s update fixed a critical  memory corruption vulnerability that could lead to remote code execution in versions 12.2.9.199 and earlier on the Windows platform.

Adobe has also resolved security issues in Adobe Experience Manager, two cross-site scripting (XSS) vulnerabilities found within HtmlRendererServlet and Apache Sling Servlets, as well as an information disclosure bug. Versions 6.0 to 6.3 are impacted on all platforms.

In addition, a critical memory corruption vulnerability impacting InDesign versions 12.1.0 and earlier which could lead to remote code execution has been fixed, together with another memory corruption bug in Adobe DNG Converter versions 9.12.1 and earlier on Windows.

Adobe Digital Editions, versions 4.5.6 and earlier on Windows, Mac, iOS, and Android, has also been included in this security update. In total, six bugs have been patched, including a critical issue caused by unsafe parsing of XML leading to information leaks and five memory address disclosure problems.

The company acknowledged researchers from Source Incite, Tencent, FortiGuard Labs, Trend Micro’s Zero Day Initiative, and Palo Alto Networks, among others, for reporting the vulnerabilities.

Adobe recommends that users and IT staff immediately apply automatic updates to stay safe from exploits.