Adobe patched 59 vulnerabilities in five different products, including Flash Player, Acrobat/Reader, Photoshop, Adobe Campaign, and its Adobe Creative Cloud App as part of its regularly scheduled software update today.
The company warned in a series of security bulletins posted shortly before noon Tuesday that the bulk of the bugs, 44, are critical and could lead to code execution. The 44 code execution bugs marks an uptick over last month, when Adobe only fixed six code execution bugs in Flash and even in February, when it patched 13 code execution bugs in the software.
Among the patches are fixes for vulnerabilities uncovered at Pwn2Own, the hacking competition held alongside CanSecWest last month in Vancouver. A team of hackers from Qihoo 360 exploited a heap overflow in the way Reader parsed JPEG200 to take down the PDF software on the competition’s first day. A group of researchers from Keen Team working for Tencent Security’s Team Sniper, used an info leak in Reader followed by a use after free to get code execution, as well. Keen Team is thanked in the credits of the Reader advisory for finding the info leak and use after free bugs, CVE-2017-3056 and CVE-2017-3057, and reporting them through Pwn2Own’s sponsor, Trend Micro’s Zero Day Initiative. LiuBenjin, a researcher with Qihoo’s 360 CodeSafe Team, is credited by Adobe for finding the heap overflow (CVE-2017-3055).
On Pwn2Own’s second day, hackers from 360 Security Team and Keen Team/Tencent Security exploited two separate use-after-free vulnerabilities in Flash. Both groups were able to elevate Flash to SYSTEM-level as part of their exploits. Yuki Chen, a researcher with 360’s Vulcan Team, and Keen Team were both acknowledged in today’s Flash advisory for their findings, CVE-2017-3062 and CVE-2017-3063, respectively.
Users are being encouraged to update to the latest versions of both platforms, 126.96.36.199 for Flash Player, and 2017.009.20044 for Acrobat and Reader DC continuous track, and 2015.006.30306 for Acrobat and Reader DC’s classic track. Users still running the pre-DC version of the software, Acrobat XI, will want to make sure they update to the latest version, 11.0.20.
A critical memory corruption vulnerability in Adobe’s graphic editing software Photoshop CC was also fixed in Tuesday’s updates. The bug (CVE-2017-3004) stems from the parsing of malicious PCX, or PiCture eXchange, files and could lead to code execution, Adobe warns. A less pressing, unrelated bug – an unquoted search path vulnerability in the Windows version of Photoshop – was also fixed.
Two vulnerabilities were uncovered and fixed in Adobe’s Creative Cloud desktop app for Windows on Tuesday as well. While Adobe didn’t refer to either vulnerability as critical, it warned that one vulnerability, a bug related to the directory search path used to find resources could lead to code execution and should be considered important. The other bug stems from improper resource permissions during the start up of some applications through Creative Cloud. Unlike the other patches, the Creative Cloud patch comes with a catch: To fix the issue that can lead to code execution, Creative Cloud users have to update all of their installed apps using the latest version of the desktop app. In some instances this may require logging out and logging back in, Adobe stresses.
Creative Cloud is Adobe’s software as a service platform. The suite gives subscribers access to a slew of apps, including Audition, Photoshop, Premiere Pro, and Bridge, to name a few.
The updates bring Photoshop CC to version 18.1 for Windows and Macintosh and Creative Cloud to version 188.8.131.52 for Windows.
Adobe Campaign, software that helps companies automate and personalize marketing campaigns, also received an update Tuesday. The latest version, build 8794, addresses a bug branded important by the company. Details around the bug, an input validation bypass (CVE-2017-2989) are scant but Adobe claims it could be exploited to read, write, or delete data from the software’s database.