Security Alert (A17-08-03): Multiple Vulnerabilities in Adobe Flash Player and Adobe Reader/Acrobat


 

Published on: 09 August 2017

  
  

Description:

Security updates are released for Adobe Flash Player and Adobe Reader/Acrobat to address multiple vulnerabilities caused by security bypass, type confusion, memory corruption, use-after-free error, insufficient verification of data authenticity and heap overflow. To successfully exploit the vulnerabilities, a remote attacker could entice a targeted user to open a specially crafted PDF file, web page, Flash file, or document that supports embedded Flash content.

Please also note that the Adobe announced that support for Adobe Flash will be ceased at the end of 2020 and no security updates will be provided after that. Users should arrange migrating to other supported technology.

 

Affected Systems:

  • Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux 26.0.0.137 and earlier versions
  • Adobe Flash Player for Google Chrome 26.0.0.137 and earlier versions
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 26.0.0.137 and earlier versions
  • Adobe Acrobat /Acrobat Reader 2017 2017.008.30051 and earlier versions
  • Adobe Acrobat DC/Acrobat Reader DC Continuous 2017.009.20058 and earlier versions
  • Adobe Acrobat DC/Acrobat Reader DC Classic 2015.006.30306 and earlier versions
  • Adobe Acrobat/Reader XI 11.0.20 and earlier versions

 

Impact:

A successful exploitation could lead to arbitrary code execution, information disclosure or potentially take control of the affected system.

 

Recommendation:

Upgrade Adobe Flash Player and Adobe Reader/Acrobat to the following versions to address the issues. The upgrade can be obtained by using the auto-update mechanism or by downloading at the following URLs:

  • Adobe Flash Player Desktop Runtime 26.0.0.151 for Windows and Macintosh
    https://get.adobe.com/flashplayer/
    http://www.adobe.com/products/players/flash-player-distribution.html

  • Adobe Flash Player 26.0.0.151 for Google Chrome
    https://chromereleases.googleblog.com/

  • Adobe Flash Player 26.0.0.151 for Microsoft Edge and Internet Explorer 11
    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170010

  • Adobe Flash Player 26.0.0.151 for Linux
    https://get.adobe.com/flashplayer/

  • Adobe Acrobat DC Continuous 2017.012.20093, Acrobat DC Classic 2015.006.30352, Acrobat 2017 2017.011.30059, Acrobat Reader 2017 2017.011.30059, Acrobat XI 11.0.21
    http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
    http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Mac

  • Adobe Acrobat Reader DC Classic 2015.006.30352, Reader XI 11.0.21
    http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
    http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Mac

  • Adobe Acrobat Reader DC Continuous 2017.012.20093
    http://get.adobe.com/reader/

If you have multiple browsers, you are required to perform the Adobe Flash Player upgrade for each browser, the Flash Player version can be checked at

http://www.adobe.com/software/flash/about/ 

 

More Information:

https://helpx.adobe.com/security/products/acrobat/apsb17-24.html
https://helpx.adobe.com/security/products/flash-player/apsb17-23.html
https://www.hkcert.org/my_url/en/alert/17080902
https://www.us-cert.gov/ncas/current-activity/2017/08/08/Adobe-Releases-Security-Updates
https://blogs.adobe.com/conversations/2017/07/adobe-flash-update.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3016
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3038
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3115 (to CVE2017-3124)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11209 (to CVE2017-11212)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11216 (to CVE2017-11224)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11226 (to CVE2017-11239)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11241 (to CVE2017-11246)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11248 (to CVE2017-11249)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11251 (to CVE2017-11252)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11254 (to CVE2017-11263)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11265
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11267 (to CVE2017-11271)

 



Tag: Adobe , Acrobat , Acrobat Reader , Adobe Reader , Flash Player
Tags