Security Experts:

Connect with us

Hi, what are you looking for?



Adobe Patches Flash, Reader Flaws Exploited at Pwn2Own

Adobe released security updates for several of its products on Tuesday to address a total of 59 vulnerabilities, including flaws disclosed last month at the Pwn2Own 2017 hacking competition.

Adobe released security updates for several of its products on Tuesday to address a total of 59 vulnerabilities, including flaws disclosed last month at the Pwn2Own 2017 hacking competition.

A majority of the security holes, 47 to be precise, have been patched in the Windows and Mac versions of Adobe Acrobat and Reader. The vulnerabilities, rated critical with a priority rating of 2 (i.e. no exploits and exploitation not imminent), have been described as memory corruptions that could lead to arbitrary code execution or memory address leaks.

Seven critical vulnerabilities have been patched in Adobe Flash Player. The security holes are use-after-free and memory corruption issues that could lead to code execution.

Many of the flaws patched on Tuesday were reported to Adobe via Trend Micro’s Zero Day Initiative (ZDI), including several Reader and Flash Player vulnerabilities disclosed at ZDI’s Pwn2Own competition.

ZDI has published five advisories detailing the Pwn2Own security holes tracked as CVE-2017-3062, CVE-2017-3063, CVE-2017-3055, CVE-2017-3056 and CVE-2017-3057.

Adobe has also resolved vulnerabilities in Photoshop CC for Mac and Windows, Campaign, and the Creative Cloud Desktop Application for Windows. The company has found no evidence of exploitation in the wild.

Microsoft has also released patches for tens of vulnerabilities this Tuesday, including for zero-day flaws exploited in the wild.

One of the zero-days is CVE-2017-0199, an Office and WordPad vulnerability that has been exploited to deliver malware such as Dridex, WingBird, Latentbot and Godzilla. Another zero-day is CVE-2017-0210, a privilege escalation vulnerability affecting Internet Explorer.

The third zero-day impacts Office and it hasn’t actually been patched, but Microsoft did release a mitigation that should help reduce the risk of exploitation. This flaw has been exploited in limited, targeted attacks.

Related: Mozilla Patches Firefox Flaw Disclosed at Pwn2Own

Related: VMware Patches Flaws Disclosed at Pwn2Own

Related: Linux Kernel Flaw Disclosed at Pwn2Own Patched

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet