• Home
  • News
  • Security
  • Adobe Patches Security Bugs in Flash Player and Eight Other Products

Adobe Patches Security Bugs in Flash Player and Eight Other Products

  • November 14, 2017
  • 12:31 PM
  • 1

Adobe logo

Earlier today, Adobe has released its monthly security bulletin, and for the month of November 2017, the company patched nine products.

The products that received updates are:

Adobe Flash Player - FLV/SWF player/plugin
Adobe Photoshop CC - Photo editing software
Adobe Connect - Web conferencing platform
Adobe Acrobat and Reader - PDF editor/reader
Adobe DNG Converter - Photo raw files converter
Adobe InDesign - Desktop publishing software
Adobe Digital Editions - E-book reader
Adobe Shockwave Player - FLV/SWF player
Adobe Experience Manager - Enterprise CMS

In total, Adobe fixed 86 security flaws, broken down as follows: 5 in Flash Player, 2 in Photoshop, 5 in Connect, 62 in Acrobat and Reader, 1 in DNG Converter, 1 in InDesign, 6 in Digital Editions, 1 in Shockwave Player, 3 in Experience Manager.

Adobe Security Update Summary:

APSB17-33 Security updates available for Adobe Flash Player

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could lead to code execution. The latest Adobe Flash Player version number is now: 27.0.0.187.

Vulnerability Category Vulnerability Impact Severity CVE Number
Out-of-bounds Read Remote Code Execution Critical CVE-2017-3112
Out-of-bounds Read Remote Code Execution Critical CVE-2017-3114
Out-of-bounds Read Remote Code Execution Critical CVE-2017-11213
Use after free Remote Code Execution Critical CVE-2017-11215
Use after free Remote Code Execution Critical CVE-2017-11225

APSB17-34 Security updates available for Adobe Photoshop CC

Adobe has released updates for Photoshop CC for Windows and Macintosh. These updates resolve critical vulnerabilities that could lead to code execution. The latest Adobe Photoshop CC version number are now: 19.0 (2018.0) and 18.1.2 (2017.1.2).

Vulnerability Category Vulnerability Impact Severity CVE Number
Memory Corruption Remote code execution Critical CVE-2017-11303
Use after free Remote code execution Critical CVE-2017-11304

APSB17-35 Security update available for Adobe Connect

Adobe has released a security update for Adobe Connect. This update resolves a critical Server-Side Request Forgery (SSRF) vulnerability (CVE-2017-11291) that could be abused to bypass network access controls. This update also resolves three input validation vulnerabilities rated Important (CVE-2017-11287, CVE-2017-11288, CVE-2017-11289) that could be used in reflected cross-site scripting attacks. Finally, this update includes a feature that enables Connect administrators to protect users from UI redressing (or clickjacking) attacks (CVE-2017-11290). The latest Adobe Connect version number is now: 9.7.

Vulnerability Category Vulnerability Impact Severity CVE Number
Server-Side Request Forgery (SSRF) Network access control bypass Critical CVE-2017-11291
Reflected Cross-site Scripting Information disclosure Important CVE-2017-11287
Reflected Cross-site Scripting Information disclosure Important CVE-2017-11288
Reflected Cross-site Scripting Information disclosure Important CVE-2017-11289
UI Redress (or Clickjacking) Information disclosure Important CVE-2017-11290

APSB17-36 Security updates available for Adobe Acrobat and Reader

Adobe has released security updates for Adobe Acrobat and Reader for Windows and Macintosh. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. The latest Adobe Acrobat and Reader version number is now: 2018.009.20044.

Vulnerability Category Vulnerability Impact Severity CVE Number
Access of Uninitialized Pointer Remote Code Execution Critical CVE-2017-16377
CVE-2017-16378
Use after free Remote Code Execution Critical CVE-2017-16360
CVE-2017-16388
CVE-2017-16389
CVE-2017-16390
CVE-2017-16393
CVE-2017-16398
Buffer Access with Incorrect Length Value Remote Code Execution Critical CVE-2017-16381
CVE-2017-16385
CVE-2017-16392
CVE-2017-16395
CVE-2017-16396
Buffer over-read Remote Code Execution Critical CVE-2017-16363
CVE-2017-16365
CVE-2017-16374
CVE-2017-16384
CVE-2017-16386
CVE-2017-16387
Buffer Overflow/Underflow Remote Code Execution Critical CVE-2017-16368
Heap Overflow Remote Code Execution Critical CVE-2017-16383
Improper validation of array index Remote Code Execution Critical

CVE-2017-16391
CVE-2017-16410

Out-of-bounds read Remote Code Execution Critical CVE-2017-16362
CVE-2017-16370
CVE-2017-16376
CVE-2017-16382
CVE-2017-16394
CVE-2017-16397
CVE-2017-16399
CVE-2017-16400
CVE-2017-16401
CVE-2017-16402
CVE-2017-16403
CVE-2017-16404
CVE-2017-16405
CVE-2017-16408
CVE-2017-16409
CVE-2017-16412
CVE-2017-16414
CVE-2017-16417
CVE-2017-16418
CVE-2017-16420
CVE-2017-11293
Out-of-bounds write Remote Code Execution Critical CVE-2017-16407
CVE-2017-16413
CVE-2017-16415
CVE-2017-16416
Security bypass Drive-by-download Important CVE-2017-16361
CVE-2017-16366
Security bypass Information Disclosure Important CVE-2017-16369
Security bypass Remote Code Execution Critical CVE-2017-16380
Stack exhaustion Excessive resource consumption Important CVE-2017-16419
Type confusion Remote Code Execution Critical CVE-2017-16367
CVE-2017-16379
CVE-2017-16406
Untrusted pointer dereference Remote Code Execution Critical CVE-2017-16364
CVE-2017-16371
CVE-2017-16372
CVE-2017-16373
CVE-2017-16375
CVE-2017-16411

APSB17-37 Security update available for the Adobe DNG Converter

Adobe has released a security update for the Adobe DNG Converter for Windows. This update resolves a critical memory corruption vulnerability. The latest Adobe DNG Converter version number is now: 10.0.

Vulnerability Category Severity CVE Numbers
Memory Corruption Critical CVE-2017-11295

APSB17-38 Security update available for Adobe InDesign

Adobe has released an update for InDesign for Windows and Macintosh. This update addresses a critical memory corruption vulnerability due to improper handling of a malformed .inx file. The latest Adobe InDesign version number is now: 13.0.

Vulnerability Category Vulnerability Impact Severity CVE Number
Memory Corruption Remote Code Execution Critical CVE-2017-11302

APSB17-39 Security update available for Adobe Digital Editions

Adobe has released a security update for Adobe Digital Editions for Windows, Macintosh, iOS, and Android. This update addresses an XML external entity processing vulnerability rated critical that could lead to information disclosure, out-of-bounds read vulnerabilities that could lead to the disclosure of memory addresses and a memory corruption vulnerability that could lead to the disclosure of memory addresses. The latest Adobe Digital Editions version number is now: 4.5.7.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Unsafe parsing of XML External Entities Information Disclosure Critical CVE-2017-11273
Out-of-bounds read Memory address disclosure Important CVE-2017-11297
Out-of-bounds read Memory address disclosure Important CVE-2017-11298
Out-of-bounds read Memory address disclosure Important CVE-2017-11299
Out-of-bounds read Memory address disclosure Important CVE-2017-11300
Memory Corruption Memory address disclosure Important CVE-2017-11301

APSB17-40 Security update available for Adobe Shockwave Player

Adobe has released a security update for Adobe Shockwave Player for Windows. This update resolves a critical memory corruption vulnerability that could lead to code execution. The latest Adobe Shockwave Player version number is now: 12.3.1.201.

Vulnerability Category Vulnerability Impact Severity CVE Number
Memory Corruption Remote Code Execution Critical CVE-2017-11294

APSB17-41 Security updates available for Adobe Experience Manager

Adobe has released security updates for Adobe Experience Manager. These updates resolve a reflected cross-site scripting vulnerability rated moderate in the HtmlRendererServlet (CVE-2017-3109), an information disclosure vulnerability (CVE-2017-3111) rated important in which a sensitive token is included in an http GET request under certain circumstances, and a cross-site scripting vulnerability (CVE-2017-11296) in Apache Sling Servlets Post 2.3.20 rated important. The latest Adobe Experience Manager version number is now: 6.3.

Vulnerability Category Vulnerability Impact Severity CVE Numbers Affected Version Download Package
Reflected cross-site scripting Information disclosure Moderate CVE-2017-3109 AEM 6.3 and earlier

Hotfix 17136 for 6.0.0

Cumulative Fix Pack for 6.1 SP2 - AEM-6.1-SP2-CFP9

Cumulative Fix Pack for 6.2 SP1 - AEM-6.2-SP1-CFP5

AEM 6.3 Service Pack 1 (6.3.1.0)

Sensitive token in HTTP GET request Information disclosure Important CVE-2017-3111 AEM 6.1, AEM 6.2 Cumulative Fix Pack for 6.1 SP2 - AEM-6.1-SP2-CFP12 
 
Cumulative Fix Pack for 6.2 SP1 - AEM-6.2-SP1-CFP2
Cross-site scripting Information disclosure Important CVE-2017-11296 AEM 6.3 and earlier

Hotfix 18963 for 6.0.0

Cumulative Fix Pack for 6.1 SP2 - AEM-6.1-SP2-CFP12

Cumulative Fix Pack for 6.2 SP1 - AEM-6.2-SP1-CFP6

Cumulative Fix Pack for AEM-CFP-6.3.0.2

Catalin Cimpanu
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.

Comments

  • larsen0815 Photo
    larsen0815 - 1 week ago

    As of 2017-11-15 11:00 CET, Adobe's FTP server (ftp.adobe.com -> /pub/adobe/reader/win/AcrobatDC/1800920044) apparently distributes version 15 instead of 2018.009.20044.

    When you extract the MSI, you can see the contained CAB is from 2015:
    AcroRdrDC1800920044_en_US.exe -nos_ne -nos_o"c:\adobe_extract"

Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Login

Remember Me
Sign in anonymously

Reporter

Help us understand the problem. What is going on with this comment?

Learn more about what is not allowed to be posted.

SUBMIT