Skip to main content

Adobe Patches 86 Vulnerabilities Across Nine Products

by Chris Brook on Wednesday November 15, 2017

Contact Us
Free Demo

Apple's Patch Tuesday update resolved 86 vulnerabilities, 70 of them critical.

Admins with Adobe products deployed on their networks will need to carve out some time in the near future to apply fixes for the nearly 100 vulnerabilities highlighted in this week’s Patch Tuesday update.

The company patched 86 vulnerabilities across nine different platforms, including Flash Player, Photoshop CC, Connect, Acrobat and Reader, DNG Converter, InDesign CC, Digital Editions, Shockwave Player, and Adobe Experience Manager.

While none of the vulnerabilities are currently being exploited in the wild, the bulk of them – 70 – are rated critical. Most of the critical vulnerabilities, 58, exist in the company's ubiquitous PDF reader, Acrobat and Reader.

The bugs, a combination of use after free, access of uninitialized pointer, buffer over-read, heap overflow, and out-of-bounds read vulnerabilities, could all lead to remote code execution if left unpatched. The update brings Acrobat and Acrobat Reader 2017 from 2017.011.30066 to 2017.011.30068 and Acrobat XI and Reader XI from 11.0.22 to 11.0.23.

Five vulnerabilities in perennial patch candidate Flash Player were also addressed on Tuesday. All of the vulnerabilities – three out-of-bounds read and two use after free – can lead to remote code execution.

The update for Adobe Connect, the company’s web conferencing software, resolve five vulnerabilities: A server-side request forgery vulnerability that could be abused to bypass network access controls, three input validation vulnerabilities that could use used in reflected cross-site scripting (XSS) attacks, and an update to prevent users from clickjacking attacks.

Clickjacking, also known as a UI redress attack, is when an attacker tricks a victim into clicking through to a website that's different than what the user expected to click on, something that could lead to the disclosure of credentials or account takeover in some instances.

Adobe fixed six bugs in its e-book reader software program Digital Editions. The fixes remedy an XML external entity processing vulnerability that could lead to information disclosure, out-of-bounds read vulnerabilities that could lead to the disclosure of memory addresses and a memory corruption vulnerability that could lead to the disclosure of memory addresses.

The remaining patches address issues in InDesign, Shockwave, PhotoShop, and DNG Converter, a free utility offered by Adobe that converts files from more than 75 cameras to Digital Negative (DNG). All of the bugs, save for the DNG Converter bug—which could lead to memory corruption, could lead to code execution.

The Flash updates are the latest the company has issued as it begins to prepares to kill off the software at the end of 2020. At that point Adobe will stop releasing updates for Flash and web browsers will no longer support it.

Tags:  Security News

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.