Adobe released July Patch Tuesday security updates that address over 100 flaws in Acrobat and Reader, and other issues in Flash Player, Experience Manager, and Connect.
Adobe on Tuesday has released July Patch Tuesday security updates that addressed more than 100 flaws in its products, including 105 vulnerabilities in Acrobat and Reader, two in Flash Player, three in Experience Manager, and three in Connect.
Windows and macOS versions of Adobe Acrobat and Reader were affected by tens of critical memory corruption bugs that could be exploited by an attacker for remote code execution. The list of flaws includes double-free, heap overflow, use-after-free, out-of-bounds write, type confusion, untrusted pointer dereference, and buffer error vulnerabilities.
“Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.
The July Patch Tuesday security updates also addressed a critical privilege escalation and tens of important out-of-bounds read vulnerabilities.
Many flaws fixed by Adobe were reported to the company through the Trend Micro’s Zero-Day Initiative (ZDI).
“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 220.127.116.11 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the advisory published by Adobe for Flash Player.
Adobe addressed three server-side request forgery (SSRF) vulnerabilities in Experience Manager that can lead to the exposure of sensitive information, fix authentication bypass and insecure library loading flaws in Adobe Connect. None of the flaws in Experience Manager and Adobe Connect was rated as critical.
The good news for the Adobe customers is that the company is not aware of any attack in the wild that exploited one of the flaws addressed with the July Patch Tuesday security updates.
(Security Affairs – July Patch Tuesday security updates, hacking)