Adobe Fixes 24 Critical Flaws in Acrobat Reader, Flash, Shockwave Player

Adobe patch update flash

During its regularly scheduled April security update, Adobe overall issued 43 patches, including ones for 24 critical vulnerabilities in eight of its products.

Adobe has fixed 24 critical arbitrary code execution vulnerabilities across multiple products, including Acrobat Reader, Adobe Flash, and Adobe Shockwave Player.

Overall, Adobe issued fixes for 43 different CVE numbers across eight different products, Tuesday, as part of a regularly-scheduled monthly security update. The company said that none of the vulnerabilities are currently being exploited in the wild. Acrobat Reader, Adobe’s family of products allowing users to create and manage PDF files, had the bulk of security flaws that were patched, with 21 vulnerabilities overall, 11 of which were critical arbitrary code execution flaws.

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities,” said Adobe in its update.  “Successful exploitation could lead to arbitrary code execution in the context of the current user.”

These flaws exist in Acrobat Reader DC (2019.010.20098 and earlier versions), Acrobat Reader 2017 (2017.011.30127 and earlier versions) and Acrobat Reader DC Classic 2015 (2015.006.30482 and earlier versions) for Windows and macOS.

acrobat reader critical flaws

Acrobat Reader critical flaws.

The critical flaws include five out-of-bounds write flaws (CVE-2019-7111, CVE-2019-7118, CVE-2019-7119, CVE-2019-7120, CVE-2019-7124). Two type confusion flaws (CVE-2019-7117, CVE-2019-7128), two use-after-free flaws (CVE-2019-7088, CVE-2019-7112) and two heap overflow glitches (CVE-2019-7113, CVE-2019-7125).

“The patch for Acrobat corrects 21 different CVEs,” said Dustin Childs, with Trend Micro’s Zero-Day Initiative, in a Patch Tuesday analysis. “The worst of these vulnerabilities could allow an attacker to completely take control of an affected system.”

Adobe also fixed seven arbitrary code execution flaws in the Windows version of its Shockwave Player, which is its multimedia platform for building interactive multimedia applications and video games. Impacted are versions 12.3.4.204 and earlier: Users are urged to update to version 12.3.5.205.

All seven (CVE-2019-7098, CVE-2019-7099, CVE-2019-7100, CVE-2019-7101, CVE-2019-7102, CVE-2019-7103, CVE-2019-7104) stemmed from memory corruption: “This update resolves multiple critical memory corruption vulnerabilities that could lead to arbitrary code execution in the context of the current user,” said Adobe.

Adobe also fixed critical flaws in Adobe Flash (a critical arbitrary code execution vulnerability, CVE-2019-7096, as well as an important information disclosure flaw CVE-2019-7108), its Adobe XD tool for designing and prototyping user experience for web and mobile apps (which had two critical arbitrary code execution glitches, CVE-2019-7105 and CVE-2019-7106), and InDesign (a critical arbitrary code execution flaw, CVE-2019-7107)

Adobe Bridge CC, Adobe’s free digital asset management app, also had eight flaws, including two critical remote code execution vulnerabilities (CVE-2019-7130, CVE-2019-7132) and six important information disclosure flaws.

“The update for Bridge CC corrects eight CVEs – all of which were reported through the ZDI program,” said Childs. “Included are two Critical-rated remote code execution bugs that could allow an attacker run their code in the context of the logged-on user.”

Also patched was an “important” flaw in Adobe Experience Manager Forms and a “moderate” severity vulnerability in Adobe Dreamweaver.

The regularly-scheduled updates come on the heels of a somewhat sparse March update for Adobe, when the company patched only two critical flaws in Photoshop CC and Adobe Digital Editions. Earlier in March, Adobe also issued an emergency patch for a critical vulnerability in its ColdFusion service that was being exploited in the wild. The vulnerability, CVE-2019-7816, exists in Adobe’s commercial rapid web application development platform, ColdFusion.

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.

Suggested articles