Adobe today pushed out its first Flash Player update since announcing two weeks ago that it would stop distributing and updating the software in 2020.
Flash has been at the center of many targeted attacks and exploit kit activity, and despite numerous improvements to the product including sandboxing and attempts to kill off entire classes of vulnerabilities, many security conscious users will soon have their way with Flash going end-of-life.
Today, as part of its regular Patch Tuesday update, Adobe patched two vulnerabilities in Flash, including a critical type-confusion vulnerability that could allow attackers to run code on a compromised computer.
Users should ensure they are running version 26.0.0.151 of Flash Player for Windows, Macintosh, Linux and ChromeOS. Versions 26.0.0.137 and earlier are affected by these two bugs on all platforms, Adobe said in its advisory.
The type-confusion vulnerability, CVE-2017-3106, was privately reported by Google Project Zero’s Natalie Silvanovich and Mateusz Jurczyk.
The second vulnerability, CVE-2017-3085, patched today is a security bypass vulnerability that could lead to information disclosure, Adobe said. It was reported by the Zero Day Initiative, and was given a severity rating of important by Adobe.
Adobe also updated its Acrobat and Reader products, addressing 67 vulnerabilities including dozens of critical memory corruption, use-after-free and heap overflow bugs that expose compromised machines to remote code execution. Also patched were a number of other bugs rated important in severity, most of which lead to information disclosure.
Adobe said it is not aware of public exploits for any of these vulnerabilities.
Versions 2017.009.20058 and earlier of Acrobat and Reader DC, 2017.008.30051 and earlier of Acrobat and Acrobat Reader 2017, 2015.006.30306 and earlier of Acrobat and Reader DC Classic Track, and 11.0.20 and earlier of Acrobat and Reader XI are affected on Windows and Macintosh platforms, Adobe said in its advisory.
Adobe also patched three vulnerabilities in its Experience Manager, the company’s content management platform. Two of the vulnerabilities lead to information disclosure, one in which the product version number is leaked, and another where internal information is leaked in output, Adobe said in its advisory. Both are rated moderate severity.
The third bug, rated important, could lead to code execution. The vulnerability occurs because of insufficient file type validation during upload, Adobe said. Versions 6.0, 6.1, 6.2 and 6.3 are affected on all platforms.
Finally, Adobe also updated its ebook reader, Digital Editions, patching two critical remote code execution vulnerabilities, as well as a less severe memory corruption bug that leads to memory address disclsoure.
Adobe said in its advisory that versions 4.5.5 and earlier are affected and users should update to version 4.5.6 on all platforms.