Adobe has released a huge patch update which resolves over 100 vulnerabilities in a range of popular software.
Adobe Flash, Acrobat, Connect, Experience Manager, and Reader are all affected. The bugs impact Linux, macOS, Chrome OS, and Windows machines.
In total, 112 vulnerabilities have been patched, the majority affecting Adobe Acrobat and Adobe Reader. However, there are no zero-day vulnerabilities reported in this update.
Two severe vulnerabilities have been resolved in Adobe Flash. The critical vulnerabilities, an out-of-bounds read and type confusion flaw (CVE-2018-5008 and CVE-2018-5007 respectively) could lead to information disclosure and arbitrary code execution in the context of the current user.
Adobe has also patched an authentication bypass vulnerability, CVE-2018-4994, in Adobe Connect.
If exploited, the bug could lead to the leak of sensitive information. In addition, the tech giant resolved an authentication bypass flaw, CVE-2018-12804, and an insecure library loading error, CVE-2018-12805. These vulnerabilities could lead to session hijacking or privilege escalation.
TechRepublic: Adobe Project Rush: Create awesome video on your mobile device
Adobe Experience Manager has also been included in the security update. In total, three Server-Side Request Forgery (SSRF) vulnerabilities — CVE-2018-5004, CVE-2018-5006, and CVE-2018-12809 — deemed important have been fixed.
If exploited, the bugs can trigger sensitive information disclosure.
However, the largest patch has been applied to Adobe Acrobat and Reader. In total, over a hundred vulnerabilities have been reported. These include use-after-free, out-of-bounds-write, security bypass, type confusion, buffer error, and heap overflow security flaws.
If exploited, the bugs can lead to arbitrary code execution in the context of the current user, privilege escalation, and information leaks.
See also: Adobe addresses critical vulnerabilities in Acrobat, Reader
Researchers from Source Incite, Trend Micro’s Zero Day Initiative, Cisco Talos, Kaspersky Labs, and Palo Alto Networks, among others, have been credited for reporting the vulnerabilities.
In May, Adobe resolved a set of critical bugs in Flash and Creative Cloud. If left unpatched, the severe vulnerabilities could lead to remote code execution and unauthorized privilege escalation.
Previous and related coverage
Adobe patches critical vulnerabilities in Flash, Creative Cloud Adobe expands Microsoft partnership with PDF Services integration How Adobe moves AI, machine learning research to the product pipeline