Adobe security update released for critical Flash, Acrobat, Reader bugs

The update aims to prevent code execution attacks and data leaks.
Written by Charlie Osborne, Contributing Writer

Adobe's May patch update has resolved severe security issues in Flash, Acrobat, and Reader which may lead to information disclosure or arbitrary code execution.

On Tuesday, the tech giant released a set of advisories detailing the vulnerabilities reported and fixed this month.

The largest security update relates to Adobe Acrobat and Reader DC and 2017 on Windows and Mac machines. In total, 84 vulnerabilities have been tackled, all of which are deemed "important" or "critical."  

See also: Adobe Flash security tool Flashmingo debuts in open source community

Adobe's focus this month appears to be on fixing security flaws which can lead to arbitrary code execution in the software. 

A total of six out-of-bounds write problems, one type confusion error, 36 use-after-free vulnerabilities, two heap overflow bugs, one buffer error, one double free issue, and one security bypass were all resolved. Each vulnerability is labeled as critical.

In addition, 36 of the bugs squashed this month in Acrobat and Reader are out-of-bounds read problems which can be exploited to leak information.

Adobe Flash is a common participant in the vendor's security updates and this month is no exception. However, only a single security flaw has been resolved in the latest update, CVE-2019-7837, which is a critical use-after-free problem that can be abused in order to perform arbitrary code execution in the context of the current user.

An update has also been issued for Adobe Media Encoder which resolves CVE-2019-7842 and CVE-2019-7844, a use-after-free remote code execution flaw and an out-of-bounds read bug.

If exploited, the flaws can lead to arbitrary code execution in the context of the current user.

TechRepublic: How to securely delete files in Linux with srm

Adobe thanked researchers working with the Trend Micro Zero Day Initiative, Tencent Security Xuanwu Lab, Palo Alto Networks, and Cisco Talos, among others, for reporting this month's bugs.

It is recommended that users allow automatic updates and bring their software builds up to the latest version available to mitigate the risk of exploit.

CNET: Trump reportedly mulling order paving the way for Huawei ban

In April, Adobe released a vast patch update tackling bugs in software including Adobe Bridge CC, Adobe Experience Manager Forms, InDesign, Adobe XD, Adobe Dreamweaver, Adobe Shockwave Player, and Adobe Flash Player. Some of the vulnerabilities fixed by the update could lead to information leaks and remote code execution.

In related news, on Tuesday Microsoft released its Patch Tuesday security bundle, containing fixes for 79 vulnerabilities including a zero-day security flaw which is being actively exploited in the wild.

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards