On Tuesday, the United States Computer Emergency Readiness Team (US-CERT) released a statement urging users and administrators to refer to APSB15-24, one of two security bulletins issued by Adobe in this round of patches.
In that document, Adobe reveals security fixes to approximately 56 vulnerabilities affecting Acrobat and Reader for Windows and Macintosh.
These security holes were discovered primarily by researchers working with HP’s Zero Day Initiative, though experts from Cure53, Vectra Networks, VeriSign iDefense Labs, Trend Micro, MWR Labs, and the Nanyang Technological University in Singapore were also acknowledged by Adobe.
All of the flaws are labeled “critical” because of their potential to allow an attacker to assume control of an affected system.
According to SecurityWeek, approximately half of the bugs constitute various methods whereby a malicious actor can bypass restrictions on Java API execution. Others are security bypass vulnerabilities that could lead to information disclosure, memory leaks, and memory corruption bugs, all of which an attacker can exploit to produce arbitrary code execution.
At the same time, Adobe has released APSB15-25, a bulletin that addresses 13 security vulnerabilities in Flash Player that could lead to information disclosure and code execution.
The newly patched version of Flash (18.104.22.168) comes with a defense-in-depth feature in the Flash broker API.
Adobe Flash has had a tough past couple of months.
Back in July, the data dumps that followed the Hacking Team leaks revealed several zero-day vulnerabilities in Flash.
This led Mozilla to temporarily block all forms of Flash before Google’s Project Zero and Adobe outfitted the application with new exploit mitigations.
Adobe has since fixed the Hacking Team bugs in a large patch last month, but as this current patching cycle illustrates, researchers continue to find vulnerabilities in Flash by the dozens.
I would therefore urge you to implement these updates ASAP before an attacker begins exploiting the vulnerabilities in the wild. It might also be worth enabling Click-to-Play for Flash, or disabling Flash altogether.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.