Security updates released by Adobe for its Flash Player, Reader, Acrobat, Digital Editions and Experience Manager products address more than 80 vulnerabilities discovered by external researchers.
A majority of the flaws, 69, were patched in Reader and Acrobat 2017.009.20058, 2017.008.30051 and 2015.006.30306 and earlier versions on Windows and Mac.
The list includes critical memory corruption, use-after-free, heap overflow, and type confusion vulnerabilities that can be exploited for remote code execution. While a majority of the security holes rated critical allow arbitrary code execution, some of the issues classified as critical can lead to information disclosure.
The flaws rated important, which can also lead to remote code execution and information disclosure, have been described as insufficient verification of data authenticity, memory corruption, security bypass, and use-after-free issues.
Independent researchers and the employees of several firms have been credited for reporting these vulnerabilities, many via Trend Micro’s Zero Day Initiative (ZDI). Ke Liu of Tencent’s Xuanwu LAB has reported the highest number of flaws.
Adobe has updated Flash Player to version 126.96.36.199 on all platforms. The latest release addresses only two vulnerabilities, including an important security bypass issue that can lead to information disclosure (CVE-2017-3085) and a critical type confusion flaw that can lead to remote code execution (CVE-2017-3106).
Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero reported the code execution vulnerability and Björn Ruytenberg discovered the information disclosure bug via ZDI.
Adobe announced recently that, after consultations with technology partners, it has decided to end support for Flash Player by the end of 2020.
In the Experience Manager enterprise content management product, Adobe patched three moderate and important severity vulnerabilities that can be exploited for information disclosure and arbitrary code execution. The issues were reported to the company anonymously.
The latest updates for the Windows, Mac, iOS and Android versions of the Adobe Digital Editions ebook reader fix nine vulnerabilities discovered by Steven Seeley of Source Incite, Jaanus Kääp of Clarified Security, and Riusksk of Tencent.
The most severe of them, CVE-2017-11274 and CVE-2017-11272, have been described as critical remote code execution and information disclosure weaknesses.
Adobe is not aware of any attacks exploiting these vulnerabilities. Only the Flash Player patches have a priority rating of 1, which means they are more likely to be exploited by hackers.