Adobe released security updates for its Flash Player, Reader, Acrobat, Digital Editions and Experience Manager products. The company addressed more than 80 vulnerabilities.
Adobe has updated Flash Player to version 220.127.116.11 on all platform, this release addresses only two vulnerabilities, a serious security bypass flaw, tracked as CVE-2017-3085, that can lead to information disclosure and a critical type confusion flaw (CVE-2017-3106) that can lead to remote code execution.
“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address a critical type confusion vulnerability that could lead to code execution and an important security bypass vulnerability that could lead to information disclosure.” reads the security advisory.
The experts Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero were credited for the code execution vulnerability, while the information disclosure issue was reported by Björn Ruytenberg via ZDI.
Adobe announced end of life for Flash Player by the end of 2020.
69 vulnerabilities were fixed in Reader and Acrobat 2017.009.20058, 2017.008.30051 and 2015.006.30306 and earlier versions on Windows and Mac.
The security updates fix flaws rated Critical and Important that could be exploited by hackers to take control of the affected system.
The list of flaws includes critical memory corruption, use-after-free, heap overflow, and type confusion vulnerabilities, according to Adobe they can be exploited for remote code execution and some of them can lead to information disclosure.
The flaws have been discovered and reported by external independent researchers, many of them via the Trend Micro’s Zero Day Initiative (ZDI), the expert Ke Liu from Tencent’s Xuanwu LAB was credited with the highest number of issues.
Adobe also patched three moderate and important severity vulnerabilities in the Experience Manager enterprise content management product. The flaw could be exploited by attackers for information disclosure and arbitrary code execution, the vulnerabilities were reported to Adobe anonymously.
“Adobe has released security updates for Adobe Experience Manager. These updates resolve a moderate file type validation vulnerability (CVE-2017-3108) and two moderate information disclosure vulnerabilities (CVE-2017-3107 and CVE-2017-3110).” reads the advisory.
Adobe addressed 9 vulnerabilities with the latest updates for the Windows, Mac, iOS and Android versions of the Adobe Digital Editions ebook reader that have been reported by Steven Seeley of Source Incite, Jaanus Kääp of Clarified Security, and Riusksk of Tencent.
Two flaws tracked as CVE-2017-11274 and CVE-2017-11272, have been rated as critical, they can trigger code execution and information disclosure.
Adobe is not aware of attacks in the wild exploiting the above issues.
(Security Affairs – Adobe, hacking)