Adobe usually releases its patches, fixes, and software updates on the same day as Microsoft – The second Tuesday of the month or Patch Tuesday as it has come to be known. No updates were release on Tuesday, October 9, but it turns out that the updates have just been delayed. On October 15, Adobe released a slew of updates to correct vulnerabilities in Adobe Acrobat, Adobe Reader, Adobe Experience Manager, Adobe Experience Manager Forms, and Adobe Download Manager.
Adobe released 68 updates for Adobe Acrobat and Adobe Reader, 45 of which are remote code execution vulnerabilities which could allow an attacker to run malicious code with the same level of privileges as the current user. All 45 of the vulnerabilities have been rated critical.
12 vulnerabilities have been fixed in Adobe Experience Manager, including one RCE vulnerability. The remaining vulnerabilities could result in information disclosure and escalation of privileges. Aside from the critical RCE vulnerably, the flaws have been rated important.
One cross-site scripting vulnerability has been fixed in Adobe Experience Manager Forms. The vulnerability could result in the disclosure of sensitive information.
One privilege escalation vulnerability has been corrected in Adobe Download Manager for Windows. If the vulnerability is exploited, an attacker could gain access to the processing resources of a vulnerable computer.
More than 30 independent security researchers have been credited with finding the vulnerabilities in the latest round of updates.
A large percentage of the vulnerabilities can be exploited remotely and can lead to remote code execution which could allow an attacker to take full control of a vulnerable device. All users of vulnerable Adobe products have therefore been advised to update to the latest versions of the software as soon as possible.