The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Adobe Patches 86 Vulnerabilities Across Nine Products



Apple's Patch Tuesday update resolved 86 vulnerabilities, 70 of them critical.

Admins with Adobe products deployed on their networks will need to carve out some time in the near future to apply fixes for the nearly 100 vulnerabilities highlighted in this week’s Patch Tuesday update.

The company patched 86 vulnerabilities across nine different platforms, including Flash Player, Photoshop CC, Connect, Acrobat and Reader, DNG Converter, InDesign CC, Digital Editions, Shockwave Player, and Adobe Experience Manager.

While none of the vulnerabilities are currently being exploited in the wild, the bulk of them – 70 – are rated critical. Most of the critical vulnerabilities, 58, exist in the company's ubiquitous PDF reader, Acrobat and Reader.

The bugs, a combination of use after free, access of uninitialized pointer, buffer over-read, heap overflow, and out-of-bounds read vulnerabilities, could all lead to remote code execution if left unpatched. The update brings Acrobat and Acrobat Reader 2017 from 2017.011.30066 to 2017.011.30068 and Acrobat XI and Reader XI from 11.0.22 to 11.0.23.

Five vulnerabilities in perennial patch candidate Flash Player were also addressed on Tuesday. All of the vulnerabilities – three out-of-bounds read and two use after free – can lead to remote code execution.

The update for Adobe Connect, the company’s web conferencing software, resolve five vulnerabilities: A server-side request forgery vulnerability that could be abused to bypass network access controls, three input validation vulnerabilities that could use used in reflected cross-site scripting (XSS) attacks, and an update to prevent users from clickjacking attacks.

Clickjacking, also known as a UI redress attack, is when an attacker tricks a victim into clicking through to a website that's different than what the user expected to click on, something that could lead to the disclosure of credentials or account takeover in some instances.

Adobe fixed six bugs in its e-book reader software program Digital Editions. The fixes remedy an XML external entity processing vulnerability that could lead to information disclosure, out-of-bounds read vulnerabilities that could lead to the disclosure of memory addresses and a memory corruption vulnerability that could lead to the disclosure of memory addresses.

The remaining patches address issues in InDesign, Shockwave, PhotoShop, and DNG Converter, a free utility offered by Adobe that converts files from more than 75 cameras to Digital Negative (DNG). All of the bugs, save for the DNG Converter bug—which could lead to memory corruption, could lead to code execution.

The Flash updates are the latest the company has issued as it begins to prepares to kill off the software at the end of 2020. At that point Adobe will stop releasing updates for Flash and web browsers will no longer support it.

Chris Brook

INFOGRAPHICS

Don't Get Hooked: How to Recognize and Avoid Phishing Attacks

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.