Adobe has released a huge patch update which resolves over 100 vulnerabilities in a range of popular software.
Adobe Flash, Acrobat, Connect, Experience Manager, and Reader are all affected. The bugs impact Linux, macOS, Chrome OS, and Windows machines.
In total, 112 vulnerabilities have been patched, the majority affecting Adobe Acrobat and Adobe Reader. However, there are no zero-day vulnerabilities reported in this update.
Two severe vulnerabilities have been resolved in Adobe Flash. The critical vulnerabilities, an out-of-bounds read and type confusion flaw (CVE-2018-5008 and CVE-2018-5007 respectively) could lead to information disclosure and arbitrary code execution in the context of the current user.
Adobe has also patched an authentication bypass vulnerability, CVE-2018-4994, in Adobe Connect.
If exploited, the bug could lead to the leak of sensitive information. In addition, the tech giant resolved an authentication bypass flaw, CVE-2018-12804, and an insecure library loading error, CVE-2018-12805. These vulnerabilities could lead to session hijacking or privilege escalation.
Adobe Experience Manager has also been included in the security update. In total, three Server-Side Request Forgery (SSRF) vulnerabilities -- CVE-2018-5004, CVE-2018-5006, and CVE-2018-12809 -- deemed important have been fixed.
If exploited, the bugs can trigger sensitive information disclosure.
However, the largest patch has been applied to Adobe Acrobat and Reader. In total, over a hundred vulnerabilities have been reported. These include use-after-free, out-of-bounds-write, security bypass, type confusion, buffer error, and heap overflow security flaws.
If exploited, the bugs can lead to arbitrary code execution in the context of the current user, privilege escalation, and information leaks.
Researchers from Source Incite, Trend Micro's Zero Day Initiative, Cisco Talos, Kaspersky Labs, and Palo Alto Networks, among others, have been credited for reporting the vulnerabilities.
In May, Adobe resolved a set of critical bugs in Flash and Creative Cloud. If left unpatched, the severe vulnerabilities could lead to remote code execution and unauthorized privilege escalation.