Adobe kicked off today’s Patch Tuesday barrage with a monster update for Acrobat and Reader patching dozens of remote code execution vulnerabilities, along with the near-customary Flash Player update addressing a handful of critical flaws.
None of the vulnerabilities patched today are under active attack, Adobe said; Adobe also pushed out security bulletins for Photoshop CC, Connect, DNG Converter, InDesign CC, Digital Editions, Shockwave Player and Adobe Experience Manager.
The Flash Player update affects versions 220.127.116.11 and earlier on Windows, Mac, Linux, Chrome OS, as well as the Chrome, Microsoft Edge and Internet Explorer 11 browsers. Admins should be sure current versions are running 18.104.22.168 on all platforms, Adobe said.
The Flash update addresses five critical remote code execution vulnerabilities (CVE-2017-3112, CVE-2017-3114, CVE-2017-11213, CVE-2017-11215 and CVE-2017-11225; three of the bugs are out of bounds read issues reported by the Zero Day Initiative, and the remaining two flaws are use-after-free flaws privately reported by China’s Tecncent Zhanlu Lab.
The Acrobat and Reader update includes patches for 56 vulnerabilities, most of which are critical remote code execution vulnerabilities. The update also includes two security bypass bugs rated important and a separate stack exhaustion flaw leading to crashes.
Adobe said Acrobat and Reader DC 2017.012.20098 and earlier are affected as are Acrobat and Reader 2017 2017.011.30066 and earlier, Acrobat and Reader DC 2015.006.30355 and earlier, and Acrobat and Reader XI 11.0.22 and earlier.
The remaining updates include:
- Adobe Photoshop CC, two critical remote code execution flaws patched.
- Adobe Connect, five vulnerabilities patched, including one critical network access control bypass
- Adobe DNG Converter, one memory corruption flaw patched
- Adobe InDesign, one critical remote code execution bug patched
- Adobe Digital Editions, six vulnerabilities patched, including a critical information disclosure flaw
- Shockwave Player, one critical RCE vulnerability patched
- Adobe Experience Manager, three vulnerabilities patched, including one information disclosure bug rated moderate severity.