Adobe’s massive patch update fixes critical Acrobat, Reader bugs

The February security release resolves 44 critical vulnerabilities in Adobe software.

Adobe has released a large security update which resolves vulnerabilities in software including Acrobat, Reader, Flash, ColdFusion, and Creative Cloud.

The main release impacts Acrobat DC and Reader DC versions 2019.010.20069 and earlier, Acrobat Classic 2017 and Acrobat Reader 2017 versions 2017.011.30113 and earlier, as well as Acrobat DC and Acrobat Reader DC Classic 2015 which are all affected on Windows and macOS machines.

In total, 43 of the vulnerabilities affecting Adobe Acrobat and Reader are deemed critical. However, the tech giant has also patched 28 bugs considered important.

Among the critical vulnerabilities patched include a zero-day flaw disclosed in January in Acrobat Reader which could lead to the theft of hashed password values. A micropatch was published by 0patch this week.  

Other critical bugs resolved in the update include buffer errors, sensitive data leakage, an integer overflow vulnerability which could lead to information disclosure, a double-free bug, security bypass problems, and use-after-free issues leading to arbitrary code execution.

The important vulnerabilities resolved in the February update is a swathe of out-of-bounds read issues which could lead to information disclosure if exploited by attackers.

See also: Micropatch released for Adobe Reader zero-day vulnerability

In the past, Flash has often been the recipient of large batches of security updates to fix serious vulnerabilities. In the February update, however, the software has only been given a patch to resolve one important security flaw, an out-of-bounds read issue which could lead to information disclosure.

TechRepublic: Have tech companies taken two-factor authentication too far?

Adobe Flash version 32.0.0.114 and earlier, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Microsoft Edge & Internet Explorer 11 on Windows, macOS, and Chrome OS are affected.

ColdFusion versions 2018, 2016, and 11 have also been included in the latest batch of security fixes. The update resolves a critical deserialization of untrusted data issue and an important cross-site scripting (XSS) bug which could lead to arbitrary code execution and information disclosure, respectively.

CNET: 500px photo-sharing site says it was hacked in 2018

Adobe also released a single fix for the Creative Cloud desktop application versions 4.7.0.400 and earlier. The patch is applied to the application's installer to fix an insecure library loading bug which, if exploited, could lead to privilege escalation. 

Adobe thanked researchers who disclosed the bugs through Trend Micro's Zero Day Initiative, Cisco Talos, Check Point Research, and Palo Alto Networks, among others.

Previous and related coverage