Adobe has issued a massive security update which patches a total of 52 vulnerabilities in Flash, Reader and Acrobat.
On Wednesday, Adobe issued its latest set of security updates for the Adobe Flash Player, Reader and Acrobat software. The updates for Windows, Mac and Linux users address "vulnerabilities that could potentially allow an attacker to take control of the affected system," according to the tech giant.
Adobe Flash Player 18.104.22.168 and earlier, 22.214.171.1241 and earlier 13.x versions, 126.96.36.1997 and earlier 11.x versions, AIR Desktop Runtime 188.8.131.52 and earlier versions as well as AIR SDK and SDK & Compiler 184.108.40.206 and earlier versions are all affected and patched in this update, which includes fixes for a number of critical vulnerabilities.
The majority of Flash's security problems revolve around vulnerabilities which could lead to remote code execution. The update addresses memory corruption vulnerabilities, heap overflow problems, integer overflow vulnerabilities, type confusion problems and use-after-free vulnerabilities.
In addition, the latest patch update resolve a time-of-check time-of-use (TOCTOU) race condition which could be exploited to bypass Protected Mode in Internet Explorer, validation bypass issues which could be exploited to write arbitrary data to the file system under user permissions, memory leak vulnerabilities that could be used to bypass ASLR and a security bypass vulnerability which could lead to information leaks.
The Adobe Reader and Acrobat updates impact Adobe Reader XI (11.0.10) and earlier 11.x versions, Reader X (10.1.13) and earlier 10.x versions, Acrobat XI (11.0.10) and earlier 11.x versions, as well as Acrobat X (10.1.13) and earlier 10.x versions are all affected. Adobe Acrobat Reader DC has not been affected in this security update.
These updates also patches critical vulnerabilities which could lead to code execution. The security update resolves use-after-free vulnerabilities, heap-based buffer overflow vulnerabilities, a buffer overflow vulnerability and memory corruption vulnerabilities.
Adobe recommends that users accept automatic updates for the Adobe Flash Player desktop runtime for Windows and Mac when prompted, or update manually via the Adobe Flash Player Download Center. Users of the Adobe Flash Player Extended Support Release should update to version 220.127.116.119 through this update, Linux users should visit the Download Center to update to Adobe Flash Player 18.104.22.1680, and users of Google Chrome with Flash or IE will receive an automatic update. Adobe AIR users should visit the Download Center.
Adobe recommends users accept automatic updates for both Reader and Acrobat.
Within the security bulletin, Adobe has given credit to KeenTeam, Chromium Vulnerability Reward Program entrants, Google Project Zero researchers, McAfee Labs, HP's Zero Day Initiative team, among others.
On Wednesday, Mozilla released its latest version of Firefox, 38, which patches 13 security problems -- including five vulnerabilities deemed critical.