Adobe patches 67 vulnerabilities in Flash, Reader

The round of patches fixes critical issues, many of which lead to remote code execution.
Written by Charlie Osborne, Contributing Writer

Video: A brief history of Adobe Flash

Adobe's latest security update has swatted a total of 67 bugs, some of them critical, in Adobe Flash, Acrobat, and Reader.


On Tuesday, the software provider released a security advisory detailing a huge amount of vulnerabilities which have now been fixed in the latest patch round.

Adobe Flash Player, Photoshop CC, Connect, Acrobat and Reader, DNG Converter, InDesign, Digital Editions, Shockwave Player, and Adobe Experience Manager are all included.

In total, Adobe has resolved five vulnerabilities in Flash player, a constant presence in security updates.

Impacting Windows, Mac, Linux, and Chrome OS, the problems are all deemed critical and can all lead to remote code execution due to out-of-bounds read and use-after-free bugs.

However, the update to Adobe Acrobat and Reader is the largest, with 62 security flaws being resolved that impact Windows and Mac machines. The majority of the bugs, 58 in total, can lead to remote code execution due to type confusion issues, out-of-bounds read and write, buffer issues and use-after-free bugs.

A total of seven vulnerabilities have been resolved in Adobe Photoshop and Adobe Connect, including security flaws which can lead to remote code execution and information leaks.

In Shockwave, Adobe's update fixed a critical  memory corruption vulnerability that could lead to remote code execution in versions and earlier on the Windows platform.

Adobe has also resolved security issues in Adobe Experience Manager, two cross-site scripting (XSS) vulnerabilities found within HtmlRendererServlet and Apache Sling Servlets, as well as an information disclosure bug. Versions 6.0 to 6.3 are impacted on all platforms.

In addition, a critical memory corruption vulnerability impacting InDesign versions 12.1.0 and earlier which could lead to remote code execution has been fixed, together with another memory corruption bug in Adobe DNG Converter versions 9.12.1 and earlier on Windows.

Adobe Digital Editions, versions 4.5.6 and earlier on Windows, Mac, iOS, and Android, has also been included in this security update. In total, six bugs have been patched, including a critical issue caused by unsafe parsing of XML leading to information leaks and five memory address disclosure problems.

The company acknowledged researchers from Source Incite, Tencent, FortiGuard Labs, Trend Micro's Zero Day Initiative, and Palo Alto Networks, among others, for reporting the vulnerabilities.

Adobe recommends that users and IT staff immediately apply automatic updates to stay safe from exploits.

10 steps to learn how to hack

Previous and related coverage

    SEC admits data breach, suggests illicit trading was key

    The commission says that "illicit gain through trading" may have been the key motivator.

    How criminals clear your stolen iPhone for resale

    Criminals have dedicated themselves to compromising iCloud accounts to wipe clean stolen devices using a set of interesting tools.

    Ethereum user accidentally exploits major vulnerability, locks wallets

    Wallets are frozen while Parity works on a solution.

      Editorial standards