Connect with us

Hi, what are you looking for?



Adobe Patches 69 Flaws in Reader, Acrobat

Security updates released by Adobe for its Flash Player, Reader, Acrobat, Digital Editions and Experience Manager products address more than 80 vulnerabilities discovered by external researchers.

Security updates released by Adobe for its Flash Player, Reader, Acrobat, Digital Editions and Experience Manager products address more than 80 vulnerabilities discovered by external researchers.

A majority of the flaws, 69, were patched in Reader and Acrobat 2017.009.20058, 2017.008.30051 and 2015.006.30306 and earlier versions on Windows and Mac.

The list includes critical memory corruption, use-after-free, heap overflow, and type confusion vulnerabilities that can be exploited for remote code execution. While a majority of the security holes rated critical allow arbitrary code execution, some of the issues classified as critical can lead to information disclosure.

The flaws rated important, which can also lead to remote code execution and information disclosure, have been described as insufficient verification of data authenticity, memory corruption, security bypass, and use-after-free issues.

Independent researchers and the employees of several firms have been credited for reporting these vulnerabilities, many via Trend Micro’s Zero Day Initiative (ZDI). Ke Liu of Tencent’s Xuanwu LAB has reported the highest number of flaws.

Adobe has updated Flash Player to version on all platforms. The latest release addresses only two vulnerabilities, including an important security bypass issue that can lead to information disclosure (CVE-2017-3085) and a critical type confusion flaw that can lead to remote code execution (CVE-2017-3106).

Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero reported the code execution vulnerability and Björn Ruytenberg discovered the information disclosure bug via ZDI.

Advertisement. Scroll to continue reading.

Adobe announced recently that, after consultations with technology partners, it has decided to end support for Flash Player by the end of 2020.

In the Experience Manager enterprise content management product, Adobe patched three moderate and important severity vulnerabilities that can be exploited for information disclosure and arbitrary code execution. The issues were reported to the company anonymously.

The latest updates for the Windows, Mac, iOS and Android versions of the Adobe Digital Editions ebook reader fix nine vulnerabilities discovered by Steven Seeley of Source Incite, Jaanus Kääp of Clarified Security, and Riusksk of Tencent.

The most severe of them, CVE-2017-11274 and CVE-2017-11272, have been described as critical remote code execution and information disclosure weaknesses.

Adobe is not aware of any attacks exploiting these vulnerabilities. Only the Flash Player patches have a priority rating of 1, which means they are more likely to be exploited by hackers.

Related: Tech Giants Announce Plans for Removal of Flash

Related: Adobe Fixes Vulnerabilities in Flash Player, Connect

Related: Adobe Patches 20 Flaws in Flash Player, Other Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.