Adobe has released three security updates for Adobe Flash Player (APSB17-04), Adobe Digital Editions (APSB17-05), and Adobe Campaign (APSB17-06) which covers a total of 24 CVEs. These updates for Adobe Flash Player address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. For Digital Editions it resolves a critical heap buffer overflow vulnerability that could lead to code execution and important buffer overflow vulnerabilities that could lead to a memory leak. The security updates resolve a moderate security bypass affecting the Adobe Campaign client console.
APSB17-04 (Adobe Flash Player):
– A type confusion vulnerability that could lead to code execution (CVE-2017-2995).
– An integer overflow vulnerability that could lead to code execution (CVE-2017-2987).
– Multiple use-after-free vulnerabilities that could lead to code execution.
(CVE-2017-2982, CVE-2017-2985, CVE-2017-2993, CVE-2017-2994).
– Multiple heap buffer overflow vulnerabilities that could lead to code execution.
(CVE-2017- 2984, CVE-2017-2986, CVE-2017-2992).
– Multiple memory corruption vulnerabilities that could lead to code execution.
(CVE-2017-2988, CVE-2017-2990, CVE-2017-2991, CVE-2017-2996).
APSB17-05 (Adobe Digital Editions):
– A heap buffer overflow vulnerability that could lead to code execution (CVE-2017-2973).
– Multiple buffer overflow vulnerabilities that could lead to a memory leak.
(CVE-2017-2974, CVE-2017-2975, CVE-2017-2976, CVE-2017-2978, CVE-2017-2977, CVE-2017-2979,
APSB17-06 (Adobe Campaign):
– A moderate security bypass affecting Adobe Campaign that could be exploited by an authenticated user with access to the client console. Successful exploitation could lead to read and write access to the system (CVE-2017-2968).
– A moderate input validation issue that could be used in cross-site scripting attacks (CVE-2017-2969).
Adobe Flash Player – 220.127.116.11 and earlier on all platforms.
Adobe Digital Editions – 4.5.3 and earlier versions on all platforms.
Adobe Campaign – 16.8 Build 8724 and earlier versions on Windows and Linux.
Security Research Engineer.