Adobe rolled out security updates for three of its products on Tuesday, including 95 fixes it pushed for Acrobat, Reader, and ColdFusion.
Users will have to wait until later this week, however, to patch a critical vulnerability that exists in Flash Player. It may only be a matter of time until the vulnerability is publicly exploited; Adobe claims that it isn’t aware of any active exploits for the issue but is aware of a report that an exploit for the vulnerability, CVE-2016-4117, exists in the wild.
The zero day, dug up by Genwei Jiang, a researcher at FireEye, exists in Flash 220.127.116.11 and earlier versions for Windows, Mac, Linux, and Chrome OS, Adobe warned Tuesday. If exploited, the vulnerability could cause a crash and let an attacker take control of the system. A fix for the issue was not ready in time to ship with this week’s Patch Tuesday patches but the company claims it is planning to address the issue later in the week, potentially as early as Thursday.
As far as today’s patches go, 92 of the 95 issues that were fixed, address vulnerabilities in either Acrobat and Reader, the bulk of which were use-after-free vulnerabilities or memory corruption vulnerabilities that could lead to code execution, Adobe warns.
While none of the Reader or Acrobat vulnerabilities are being exploited in the wild to Adobe’s knowledge, the company has still branded them critical, because they could enable an attacker to take control of a system.
Three vulnerabilities were fixed in ColdFusion, including hotfixes for version 10, 11, and the 2016 release. The fixes address an input validation issue that could lead to cross-site scripting (XSS) attacks, a host name verification problem with wild card certificates, and an Apache Commons update to mitigate java deserialization.
The 95 patches mark a serious uptick from the last time Adobe updated Acrobat and Reader; when it released updates in March it only patched three CVEs combined between the two products.
The company was forced to issue an emergency update for Flash last month after a vulnerability in version 18.104.22.168 was discovered and eventually rolled into two exploit kits and used to peddle ransomware.