Adobe patched 81 vulnerabilities across Acrobat, Reader, and Flash on Tuesday, including a handful of critical bugs that if exploited, could allow an attacker to take control of a system.
The lion’s share of vulnerabilities – 71 in total – exist in the company’s Acrobat and Reader platforms.
According to a security bulletin published by the company on Tuesday, most of the Acrobat and Reader updates address memory corruption, use-after-free, and buffer overflow vulnerabilities – all which can lead to code execution – in the software. Two additional patches fix a bypass restriction on JavaScript API execution and a separate security bypass vulnerability that existed in the software. The update brings Acrobat DC and Reader DC to version 15.006.30243 and Acrobat XI and Reader XI to 11.0.18 on both Windows and Macintosh machines.
The patches are the first for Reader and Acrobat since July, when Adobe addressed 38 issues in the software. This month’s fixes are the most updates the software was received since May this year, when the company patched a staggering 93 vulnerabilities in Reader and Acrobat.
Twelve vulnerabilities that affected Flash Player in Chrome, Microsoft Edge, IE 11, and Linux, were also resolved today. Like the Reader and Acrobat bugs, the majority of the patches – nine of the 12 – stem from memory corruption bugs. A Palo Alto Networks researcher who discovered eight bugs in Flash last month, Tao Yan a/k/a @Ga1ois, discovered four of the nine vulnerabilities, all memory corruption bugs, patched by Adobe on Tuesday. A security bypass vulnerability, a type confusion and use-after-free vulnerability that could lead to code execution were also fixed in Flash, according to Adobe.
The 12 vulnerabilities in Flash marks a decrease from last month’s update, when Adobe patched 29 issues, most that could have led to code execution.
Adobe also took the opportunity on Tuesday to patch its Creative Cloud desktop application – an app that lets Adobe customers who subscribe to its Creative Cloud platform manage their apps and services. The update resolves an unquoted search path vulnerability in the app. Unquoted path vulnerabilities generally take advantage of the way software parses directory paths to execute code. In this case, if exploited, the vulnerability could have allowed access to resources in a parent path and subsequently, local privilege escalation, Adobe warned.
Adobe says it’s not aware of any of the vulnerabilities being exploited in the wild but in a post to its Product Security Incident Response Team (PSIRT) Blog, encouraged users to update to the latest versions regardless.