Tuesday, May 10, 2016

Two Critical Adobe Updates:
Acrobat & Reader v15.016.20039 Now,
Flash Update On The Way

--

Sometimes I have to roll my eyes. This is yet-another opportunity to shout expletives at Adobe for endangering our computers. It's another 'OMG you suck Adobe!' moment. Get a load of the number of CVEs patched in Acrobat/Reader v15.16.20039. Ninety-two CVEs. It has to be a record. Then there's the ongoing in-the-wild exploit of Flash that Adobe promises to patch later this week. Dangerous stuff. *sigh*

Out Today:


Adobe Acrobat & Reader v15.016.20039


Check for updates from within the applications,

Or download update installers at the pages linked below:

Download Reader Update

Download Acrobat Update

The security bulletin is HERE.

Vulnerability Details

• These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1045, CVE-2016-1046, CVE-2016-1047, CVE-2016-1048, CVE-2016-1049, CVE-2016-1050, CVE-2016-1051, CVE-2016-1052, CVE-2016-1053, CVE-2016-1054, CVE-2016-1055, CVE-2016-1056, CVE-2016-1057, CVE-2016-1058, CVE-2016-1059, CVE-2016-1060, CVE-2016-1061, CVE-2016-1065, CVE-2016-1066, CVE-2016-1067, CVE-2016-1068, CVE-2016-1069, CVE-2016-1070, CVE-2016-1075, CVE-2016-1094, CVE-2016-1121, CVE-2016-1122, CVE-2016-4102, CVE-2016-4107).

• These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2016-4091, CVE-2016-4092).

• These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1037, CVE-2016-1063, CVE-2016-1064, CVE-2016-1071, CVE-2016-1072, CVE-2016-1073, CVE-2016-1074, CVE-2016-1076, CVE-2016-1077, CVE-2016-1078, CVE-2016-1080, CVE-2016-1081, CVE-2016-1082, CVE-2016-1083, CVE-2016-1084, CVE-2016-1085, CVE-2016-1086, CVE-2016-1088, CVE-2016-1093, CVE-2016-1095, CVE-2016-1116, CVE-2016-1118, CVE-2016-1119, CVE-2016-1120, CVE-2016-1123, CVE-2016-1124, CVE-2016-1125, CVE-2016-1126, CVE-2016-1127, CVE-2016-1128, CVE-2016-1129, CVE-2016-1130, CVE-2016-4088, CVE-2016-4089, CVE-2016-4090, CVE-2016-4093, CVE-2016-4094, CVE-2016-4096, CVE-2016-4097, CVE-2016-4098, CVE-2016-4099, CVE-2016-4100, CVE-2016-4101, CVE-2016-4103, CVE-2016-4104, CVE-2016-4105).

• These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2016-1043).

• These updates resolve memory leak vulnerabilities (CVE-2016-1079, CVE-2016-1092).

• These updates resolve an information disclosure issue (CVE-2016-1112).

• These updates resolve various methods to bypass restrictions on Javascript API execution (CVE-2016-1038, CVE-2016-1039, CVE-2016-1040, CVE-2016-1041, CVE-2016-1042, CVE-2016-1044, CVE-2016-1062, CVE-2016-1117).

• These updates resolve vulnerabilities in the directory search path used to find resources that could lead to code execution (CVE-2016-1087, CVE-2016-1090, CVE-2016-4106).
Total count: 92 CVEs patched.
~ ~ ~ ~ ~

Coming up later this week:


Adobe Flash update.


The warning security advisory is HERE.

Summary

A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild.  Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
I'll make another post when the update for Adobe Flash is available. Until then, avoid or stop using Flash.

--

No comments:

Post a Comment