Adobe Patches 69 Vulnerabilities in Reader, Acrobat, Flash

Adobe released a large update for Reader, Acrobat, and Flash today that addresses 69 critical vulnerabilities combined in the software.

Adobe today released a jumbo-sized Patch Tuesday update for Reader, Acrobat, and Flash, addressing a combined 69 critical vulnerabilities in the software, many which can lead to information disclosure and code execution.

The company warned about the bugs via a blog post at its Product Security Incident Response Team (PSIRT) Blog and in a pair of security bulletins published to its site Tuesday morning.

As far as Adobe is aware, none of the vulnerabilities are currently being exploited in the wild.

The bulk of the bugs, 56 in total, exist in the company’s Acrobat and Reader software families, including its DC, XI, and X products, for both Windows and Macintosh machines.

If exploited, many of the flaws, including memory corruption, heap buffer overflow, and use-after-free vulnerabilities, could lead to code execution. Other fixes pushed by the company address various methods that could have been used to bypass restrictions on Javascript API execution, and resolve an issue that could have led to information disclosure via a bypass.

Many of the bugs, 28 of the 56, were dug up by researchers with or working with HP’s Zero Day Initiative. Other researchers, working with Cure53 and Verisign iDefense Labs, also chipped in.

It’s the first round of security updates Adobe has pushed for Acrobat and Reader in three months. Earlier this summer the company patched 46 critical issues in the two products.

On top of the Reader and Acrobat fixes, Adobe also patched 13 issues in Adobe Flash for Windows, Macintosh, ChromeOS, and Linux, graduating the software to Version

Nearly all of the issues – save for one that could bypass same-origin-policy and another that improves a feature in the Flash broker API – could lead to code execution, Adobe warns.

This is the second batch of security fixes Adobe has pushed for Flash Player in the last three weeks; in mid-September the company fixed 23 other critical vulnerabilities in the software.

Suggested articles