Adobe Patches Flash Player, 56 Bugs in Reader and Acrobat

Adobe released a monster update for Acrobat and Reader patching dozens of remote code execution vulnerabilities, along with a Flash Player update addressing a handful of critical flaws.

Adobe kicked off today’s Patch Tuesday barrage with a monster update for Acrobat and Reader patching dozens of remote code execution vulnerabilities, along with the near-customary Flash Player update addressing a handful of critical flaws.

None of the vulnerabilities patched today are under active attack, Adobe said; Adobe also pushed out security bulletins for Photoshop CC, Connect, DNG Converter, InDesign CC, Digital Editions, Shockwave Player and Adobe Experience Manager.

The Flash Player update affects versions 27.0.0.183 and earlier on Windows, Mac, Linux, Chrome OS, as well as the Chrome, Microsoft Edge and Internet Explorer 11 browsers. Admins should be sure current versions are running 27.0.0.187 on all platforms, Adobe said.

The Flash update addresses five critical remote code execution vulnerabilities (CVE-2017-3112, CVE-2017-3114, CVE-2017-11213, CVE-2017-11215 and CVE-2017-11225; three of the bugs are out of bounds read issues reported by the Zero Day Initiative, and the remaining two flaws are use-after-free flaws privately reported by China’s Tecncent Zhanlu Lab.

The Acrobat and Reader update includes patches for 56 vulnerabilities, most of which are critical remote code execution vulnerabilities. The update also includes two security bypass bugs rated important and a separate stack exhaustion flaw leading to crashes.

Adobe said Acrobat and Reader DC 2017.012.20098 and earlier are affected as are Acrobat and Reader 2017 2017.011.30066 and earlier, Acrobat and Reader DC 2015.006.30355 and earlier, and Acrobat and Reader XI 11.0.22 and earlier.

The remaining updates include:

Suggested articles