Security Experts:

Adobe Patches Flash, Reader Flaws Exploited at Pwn2Own

Adobe released security updates for several of its products on Tuesday to address a total of 59 vulnerabilities, including flaws disclosed last month at the Pwn2Own 2017 hacking competition.

A majority of the security holes, 47 to be precise, have been patched in the Windows and Mac versions of Adobe Acrobat and Reader. The vulnerabilities, rated critical with a priority rating of 2 (i.e. no exploits and exploitation not imminent), have been described as memory corruptions that could lead to arbitrary code execution or memory address leaks.

Seven critical vulnerabilities have been patched in Adobe Flash Player. The security holes are use-after-free and memory corruption issues that could lead to code execution.

Many of the flaws patched on Tuesday were reported to Adobe via Trend Micro’s Zero Day Initiative (ZDI), including several Reader and Flash Player vulnerabilities disclosed at ZDI’s Pwn2Own competition.

ZDI has published five advisories detailing the Pwn2Own security holes tracked as CVE-2017-3062, CVE-2017-3063, CVE-2017-3055, CVE-2017-3056 and CVE-2017-3057.

Adobe has also resolved vulnerabilities in Photoshop CC for Mac and Windows, Campaign, and the Creative Cloud Desktop Application for Windows. The company has found no evidence of exploitation in the wild.

Microsoft has also released patches for tens of vulnerabilities this Tuesday, including for zero-day flaws exploited in the wild.

One of the zero-days is CVE-2017-0199, an Office and WordPad vulnerability that has been exploited to deliver malware such as Dridex, WingBird, Latentbot and Godzilla. Another zero-day is CVE-2017-0210, a privilege escalation vulnerability affecting Internet Explorer.

The third zero-day impacts Office and it hasn’t actually been patched, but Microsoft did release a mitigation that should help reduce the risk of exploitation. This flaw has been exploited in limited, targeted attacks.

Related: Mozilla Patches Firefox Flaw Disclosed at Pwn2Own

Related: VMware Patches Flaws Disclosed at Pwn2Own

Related: Linux Kernel Flaw Disclosed at Pwn2Own Patched

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.