Adobe Patches Vulnerabilities

Thursday, July 14, 2016 @ 04:07 PM gHale


Adobe issued security updates for Flash Player, Acrobat, Reader, and XMP Toolkit for Java, to address multiple critical vulnerabilities.

This month, 52 security bugs ended up fixed in Flash Player, including vulnerabilities under attack or have a higher risk of being a target.

RELATED STORIES
Adobe Patches Zero Day Hole
APT Group Leverages Flash Zero Day
Exploit Kit Leverages Flash Zero Day
Adobe Fixes Connect Hole

Adobe Flash Player 22.0.0.209 and Flash Player Extended Support Release 18.0.0.366 for Windows and Mac, Adobe Flash Player for Linux 11.2.202.632 resolve these issues.

The vulnerabilities also ended up fixed in version 22.0.0.209 of Adobe Flash Player for Google Chrome for Windows, Macintosh, Linux and ChromeOS and of Adobe Flash Player for Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1.

The update fixes type confusion flaws (CVE-2016-4223, CVE-2016-4224, CVE-2016-4225), use-after-free bugs (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4248), a heap buffer overflow vulnerability (CVE-2016-4249), stack corruption issues (CVE-2016-4176, CVE-2016-4177), and 33 memory corruption vulnerabilities that could lead to code execution.

Adobe also mitigated a race condition vulnerability that could lead to information disclosure (CVE-2016-4247), a memory leak vulnerability (CVE-2016-4232), and a security bypass vulnerability that could lead to information disclosure (CVE-2016-4178) in Flash Player.

As always, users should update the runtime via the official channels to stay protected.

For Acrobat and Reader, there were 30 security flaws for Windows and Mac OS X, most of which could result in code execution and could potentially allow an attacker to take control of the affected system.

The new patches are available for the Continuous and Classic tracks, as well as for Acrobat XI and Reader XI releases.

The resolved vulnerabilities include an integer overflow issue (CVE-2016-4210), a use-after-free vulnerability (CVE-2016-4190), and a heap buffer overflow bug (CVE-2016-4209), as well as 26 memory corruption vulnerabilities. Additionally, the security patches address various methods to bypass restrictions on Javascript API execution (CVE-2016-4215).

Acrobat DC and Acrobat Reader DC version 15.017.20050 (Continuous track) and 15.006.30198 (Classic track) and Acrobat XI and Reader XI version 11.0.17 (Desktop track) resolve the issues. Although there are currently no known exploits for these flaws, users are advised to update their software as soon as possible to stay protected.

The security update released for Adobe XMP Toolkit for Java resolves a vulnerability associated with the parsing of crafted XML external entities in XMPCore that could lead to information disclosure (CVE-2016-4216). Discovered by Tim Allison of the MITRE corporation, the flaw ended up resolved in version 5.1.3 of the product, Adobe said.