The first Patch Tuesday of 2017 has seen Adobe issue 13 updates for Adobe Flash, Adobe Acrobat, and Adobe Reader. The updates address 42 critical vulnerabilities, although exploits are not thought to currently exist in the wild. That said, now the patches have been released, it is only a matter of time before exploits are developed.
The updates are spread across two bulletins: APSB17-01 for Acrobat and Reader and APSB17-02 for Adobe Flash Player. 29 critical flaws in Acrobat and Reader have been addressed, all but one of which can lead to remote code execution. The remaining 13 critical vulnerabilities affect Flash.
Users of Acrobat XI and Reader XI should update to version 11.0.19, while other users should update to either 15.023.20053 (continuous release track) or 15.006.30279 (classic track). The updates address a wide range of flaws including heap buffer and buffer overflow vulnerabilities, use-after-free vulnerabilities, memory corruption vulnerabilities, and one confusion vulnerability.
All users have been advised to upgrade to the latest version of Flash Player (24.0.0.194) as soon as possible. The vulnerabilities also affect Chrome, Edge, and IE browsers, but will be addressed via Google’s and Microsoft’s update mechanisms.
The Adobe Flash vulnerabilities are the most important as hackers tend to concentrate on developing exploits for these rather than Acrobat and Reader, the latter being harder to implement. The Flash vulnerabilities are CVE-2017-2925, CVE-2017-2926, CVE-2017-2928, CVE-2017-2930, CVE-2017-2931 which are memory corruption vulnerabilities, CVE-2017-2927, CVE-2017-2933, CVE-2017-2934, CVE-2017-2935 which are use-after-free vulnerabilities, and CVE-2017-2938, which is a security bypass vulnerability.
According to the Zero Day Initiative (ZDI), 2016 was a record year for vulnerabilities with Adobe products the worst affected with 149 advisories issued or 22% of the total number for all products tracked by ZDI. Advantech was in second place in 2016 with 112 advisories or 17% of the total, Microsoft was in third place with 11% of the total, a reduction from 2015 when it accounted for 17% of the total number of advisories. That said, more security bulletins were issued by Microsoft in 2016 than in any other year.
2017 has been tipped to be yet another record-breaking and Adobe is likely to top the list again.