Adobe fixed 21 vulnerabilities across four products today, releasing patches for Flash, Shockwave Player, Captivate, and Adobe Digital Editions.
Most of the vulnerabilities, 15 of the 21, are marked critical by the company because they could lead to code execution. The updates came in the form of four security bulletins Tuesday morning as part of Adobe’s regularly scheduled patch cycle.
All of the bugs in Flash – four use after free vulnerabilities and five memory corruption vulnerabilities – could lead to remote code execution, Adobe warns. The bulk of the vulnerabilities were discovered by a CloverSec Labs researcher that goes by the handle bee13oy, and Mateusz Jurczyk and Natalie Silvanovich, two researchers with Google’s Project Zero.
The Flash Player update brings the Desktop Runtime version for Windows and Macintosh, Google Chrome, and the Desktop Runtime version for Linux to 220.127.116.11 and the version in Edge and Internet Explorer 11 to version 18.104.22.168.
Adobe Digital Editions, the company’s e-book reader software, also received a security update Tuesday. The software is used on e-book readers, such as iPads and Androids but not Kindles. The software suffered from a variety of issues: Four memory corruption bugs, three insecure library loading bugs, and a stack overflow bug. The memory corruption bugs are marked critical and the most pressing as they could lead to remote code execution. The rest of the bugs, marked important, could trigger escalation of privilege or memory address disclosure.
Today’s update brings the software from version 4.5.4 to 4.5.5 on Windows, Mac, iOS, and Android platforms.
Tuesday’s round of updates also fixes a memory corruption vulnerability that could have led to remote code execution in Shockwave. Adobe warns that the vulnerability, discovered by researchers with Fortinet’s FortiGuard Labs, is critical but only gives it a priority rating of “2.”
Lastly, a relatively minor bug in Adobe Captivate, software the company makes to help users create e-learning content, like simulations, quizzes, and demonstrations, was also fixed. The bug, an information disclosure vulnerability, was tied to abuse of the software’s quiz reporting feature.
The company released an update for the tool to bring Captivate 2017 to version 10.0.0.192. Users still running Captivate versions 8 and 9 can apply a hotfix – renaming two .php files – to receive the fix.
The 15 critical vulnerabilities just about doubles last month when Adobe fixed seven critical bugs; all existed in Flash Player.