Adobe releases massive patch update for Flash, Reader, Acrobat vulnerabilities

Adobe's latest security update includes patches for 18 vulnerabilities in Flash, as well as 34 flaws in Adobe Reader and Acrobat.
Written by Charlie Osborne, Contributing Writer

Adobe has issued a massive security update which patches a total of 52 vulnerabilities in Flash, Reader and Acrobat.

On Wednesday, Adobe issued its latest set of security updates for the Adobe Flash Player, Reader and Acrobat software. The updates for Windows, Mac and Linux users address "vulnerabilities that could potentially allow an attacker to take control of the affected system," according to the tech giant.

Adobe Flash Player and earlier, and earlier 13.x versions, and earlier 11.x versions, AIR Desktop Runtime and earlier versions as well as AIR SDK and SDK & Compiler and earlier versions are all affected and patched in this update, which includes fixes for a number of critical vulnerabilities.

The majority of Flash's security problems revolve around vulnerabilities which could lead to remote code execution. The update addresses memory corruption vulnerabilities, heap overflow problems, integer overflow vulnerabilities, type confusion problems and use-after-free vulnerabilities.

In addition, the latest patch update resolve a time-of-check time-of-use (TOCTOU) race condition which could be exploited to bypass Protected Mode in Internet Explorer, validation bypass issues which could be exploited to write arbitrary data to the file system under user permissions, memory leak vulnerabilities that could be used to bypass ASLR and a security bypass vulnerability which could lead to information leaks.

The Adobe Reader and Acrobat updates impact Adobe Reader XI (11.0.10) and earlier 11.x versions, Reader X (10.1.13) and earlier 10.x versions, Acrobat XI (11.0.10) and earlier 11.x versions, as well as Acrobat X (10.1.13) and earlier 10.x versions are all affected. Adobe Acrobat Reader DC has not been affected in this security update.

These updates also patches critical vulnerabilities which could lead to code execution. The security update resolves use-after-free vulnerabilities, heap-based buffer overflow vulnerabilities, a buffer overflow vulnerability and memory corruption vulnerabilities.

In addition, the update resolves a memory leak, various channels to bypass restrictions on Javascript API execution, a null-pointer dereference issue that could lead to a denial-of-service condition and includes additional protection for a vulnerability in the handling of XML external entities that could lead to information disclosure.

Adobe recommends that users accept automatic updates for the Adobe Flash Player desktop runtime for Windows and Mac when prompted, or update manually via the Adobe Flash Player Download Center. Users of the Adobe Flash Player Extended Support Release should update to version through this update, Linux users should visit the Download Center to update to Adobe Flash Player, and users of Google Chrome with Flash or IE will receive an automatic update. Adobe AIR users should visit the Download Center.

Adobe recommends users accept automatic updates for both Reader and Acrobat.

Within the security bulletin, Adobe has given credit to KeenTeam, Chromium Vulnerability Reward Program entrants, Google Project Zero researchers, McAfee Labs, HP's Zero Day Initiative team, among others.

On Wednesday, Mozilla released its latest version of Firefox, 38, which patches 13 security problems -- including five vulnerabilities deemed critical.

Read on: In the world of security

Editorial standards