Adobe Patches Code Execution Flaws in Flash, Reader, Acrobat

Adobe’s first scheduled patch release of 2017 includes updates for Flash Player, Reader and Acrobat.

Adobe today released its first patches of the year, a familiar refrain of Flash Player and Reader fixes, none of which are under attack.

The Flash update addresses 13 vulnerabilities, all but one of which trigger remote code execution attacks. Meanwhile, 29 bugs were patched in Reader and Acrobat, and all but one enable code execution.

The patches come one month after confirmation from Microsoft and Google that they will be accelerating the deprecation of Flash in Edge and Chrome. Google said in early December it would begin moving Chrome 55 users to HTML and away from Flash in a very slow rollout. Microsoft followed that news with an announcement that it would soon block Flash by default in Edge on sites that support HTML5.

“In these cases, Flash will not even be loaded, improving performance, battery life, and security,” said Microsoft’s Crispan Cowan, a former Linux security expert and now longtime member of Microsoft’s security operation. “For sites that still depend on Flash, users will have the opportunity to decide whether they want Flash to load and run, and this preference can be remembered for subsequent visits.”

Flash’s security story has turned into a long and turbulent tale, and despite attempts by Adobe to harden the software with mitigations meant to prevent memory-based attacks, attackers continue to find soft spots in Flash and use it in large-scale campaigns and targeted attacks with equal precision.

Today’s update affects versions 24.0.0.186 and earlier on Windows, Macintosh and Linux platforms, as well as Chrome, Edge and Internet Explorer. Organizations should update to 24.0.0.194 as soon as possible.

Three use-after free vulnerabilities, four buffer overflow flaws and five memory corruption bugs were patched today, all of which enable attackers to run code on the host machine. Adobe also patched an information disclosure vulnerability, CVE-2017-2938.

The Reader and Acrobat update was beefier, patching more than two dozen vulnerabilities affecting versions 11.0.18 and earlier. Most of the Acrobat and Readers bugs are type confusion, memory corruption issues, along with buffer overflow and use-after free flaws. All 28 allow for code execution on the host system; the remaining vulnerability, CVE-2017-2947, is a security bypass flaw.

Suggested articles