The February release addresses 44 critical Adobe software vulnerabilities. Adobe has released a major security update addressing software vulnerabilities such as Acrobat, Reader, Flash, ColdFusion and Creative Cloud.
The main release affects Acrobat DC and Reader DC 2019.010.20069 and earlier, Acrobat Classic 2017 and Acrobat Reader 2017 2017.011.30113 and earlier, as well as Acrobat DC and Acrobat Reader DC Classic 2015, all of which are affected by Windows and MacOS.
A total of 43 vulnerabilities are considered critical for Adobe Acrobat and Reader. The tech giant has also patched 28 important bugs. Among the critical vulnerabilities, a zero-day flaw disclosed in Acrobat Reader in January could lead to theft of hacked password values.
A micropatch was released by 0patch this week. Other critical bugs solved in the update include buffer errors, sensitive data leakage, and an integer overflow vulnerability that could lead to information disclosure, a double-free bug, security bypass problems, and arbitrary code execution problems.
The key vulnerabilities resolved in the February update are a host of read-out issues, which could lead to information disclosure if attackers use it.
In the past, Flash has often received large batches of security updates to address serious vulnerabilities. In the February update, however, the software was only patched to resolve one important security flaw, an out – of-bound read problem that could lead to information disclosure. Adobe Flash version 18.104.22.168 and earlier, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Microsoft Edge & Internet Explorer11 for Windows, MacOS, and Chrome OS are affected.
ColdFusion versions 2018, 2016 and 11 were also included in the latest batch of security fixes. The update resolves a critical deserialization of untrusted data issue and an important cross-site scripting (XSS) bug that could lead to arbitrary code execution and information disclosure, respectively. Adobe has also released a single fix for Creative Cloud desktop versions 22.214.171.1240 and earlier.
The patch is applied to the installer of the application to fix an insecure library loading bug that, if exploited, could lead to privilege escalation.
Adobe thanked researchers who revealed the bugs through the Zero Day Initiative of Trend Micro, Cisco Talos, Check Point Research and Palo Alto Networks, among others.