The vulnerabilities addressed in this month's patch Tuesday affect Adobe Flash Player, Adobe Experience Manager, Adobe Connect, Adobe Acrobat, and Reader.
None of the security vulnerabilities patched this month were either publicly disclosed or found being actively exploited in the wild.
Adobe Flash Player (For Desktops and Browsers)
Security updates include patches for two vulnerabilities in Adobe Flash Player for various platforms and application, as listed below.
One of which has been rated critical (CVE-2018-5007), and successful exploitation of this "type confusion" flaw could allow an attacker to execute arbitrary code on the targeted system in the context of the current user.
This flaw was discovered and reported to Adobe by willJ of Tencent PC Manager working with Trend Micro's Zero Day Initiative.
Without revealing technical details of any flaw, Adobe said the second vulnerability, which has been rated important by the company, could allow an attacker to retrieve sensitive information.
- Flash Player v220.127.116.11 and earlier versions
Affected Platforms and Applications
- Chrome OS
- Google Chrome
- Microsoft IE 11
- Microsoft Edge
Adobe Acrobat and Reader (Windows and macOS)
The company has patched a total of 104 security vulnerabilities in Adobe Acrobat and Reader, of which 51 are rated as critical and rest are important in severity.
Both products include dozens of critical heap overflow, use-after-free, out-of-bounds write, type confusion, untrusted pointer dereference and buffer errors vulnerabilities which could allow an attacker to execute arbitrary code on the targeted system in the context of the current user.
These vulnerabilities were reported by security researchers from various security firms, including Palo Alto Networks, Trend Micro Zero Day Initiative, Tencent, Qihoo 360, CheckPoint, Cisco Talos, Kaspersky Lab, Xuanwu Lab and Vulcan Team.
- Continuous Track—2018.011.20040 and earlier versions
- Classic 2017 Track—2017.011.30080 and earlier versions
- Classic 2015 Track—2015.006.30418 and earlier versions
- Microsoft Windows
- Apple macOS
Adobe Experience Manager (All Platforms)
Adobe has addressed three important Server-Side Request Forgery (SSRF) vulnerabilities in its Experience Manager, an enterprise content management solution, which could result in sensitive information disclosure.
Two of these security vulnerabilities (CVE-2018-5006, CVE-2018-12809) were discovered by Russian application security researcher Mikhail Egorov.
- AEM v6.4, 6.3, 6.2, 6.1 and 6.0
The vulnerabilities affect Adobe Experience Manager for all platforms, and users are recommended to download the updated version from here.
Adobe Connect (All Platforms)
Adobe has patched three security vulnerabilities in Adobe Connect—a software used to create information and general presentations and web conferencing—two of which, rated important, could allow an attacker to bypass the authentication, hijack web sessions and steal sensitive information.
The third flaw, rated moderate, in Adobe Connect is a privilege escalation issue caused due to an insecure loading of a library.
- Adobe Connect v9.7.5 and earlier for all platforms