Adobe today released security updates for its PDF editing and viewing products, Acrobat and Reader, and its ereader for books called Adobe Digital Editions. And while the customary Flash update is missing from today’s monthly rollout, Adobe said a new version of the software will be available “in the coming days.”
Last month, Adobe patched 22 CVEs in Flash Player, most of which were memory-related vulnerabilities, including corruption and use-after-free vulnerabilities.
Today’s patches are much lighter, fixing three flaws in Acrobat and Reader, and a single vulnerability in Digital Editions.
The trio of Acrobat and Reader vulnerabilities were privately disclosed to Adobe by researchers at HP’s Zero Day Initiative.
Two of the patches (CVE-2016-1007 and CVE-2016-1009) address memory corruption vulnerabilities, while the third addresses a flaw in the directory search path (CVE-2016-1008). All three can be exploited to remotely execute code on compromised machines, Adobe said, adding that it was not aware of any public attacks against these bugs.
Adobe said the Windows and Macintosh versions of Acrobat and Reader DC Continuous (15.010.20059 and earlier and 15.006.30119 and earlier, respectively) are affected, as are Acrobat and Reader Desktop versions 11.0.14 and earlier.
The Adobe Digital Editions vulnerability also leads to remote code execution, Adobe said. The patch specifically addresses a memory corruption issue (CVE-2016-0954); it has not been publicly attacked, Adobe said, adding that versions 4.5.0 and earlier are affected. Users are urged to update to 4.5.1.