Adobe fixes 46 critical bugs in patchfest

Adobe patched a total of 82 vulnerabilities across a range of products on Tuesday, including 46 critical bugs.

The lion’s share of the patches, which the company flagged on 11 October, came in a single advisory covering Acrobat and Acrobat Reader on the Windows and macOS platforms, extending back to the Classic 2015 versions.

There were 45 critical bugs in this batch, allowing for arbitrary code execution thanks to a range of weaknesses covering type confusion, race conditions, and memory issues such as out-of-bounds write, use after free, buffer overrun, and heap overflow.

The company said:

Successful exploitation could lead to arbitrary code execution in the context of the current user.    

Other bugs in this collection, ranked important, could be triggered via cross-site scripting, out-of-bounds reads, and what Adobe called an “incomplete implementation of security mechanism,” although like many of the bugs, details on that one hadn’t been published.

Adobe also patched a single important-ranking vulnerability in the Windows Adobe Download Manager (CVE-2019-8071), which allowed for privilege escalation through insecure file permissions.

There were 12 vulnerabilities in its Experience Manager content management system, including CVE-2019-8088, a critical command injection vulnerability that could lead to arbitrary code injection. Experience Manager Forms, which lets people create online sign-up forms, had one moderate-ranking vulnerability that Adobe said could “result in sensitive information disclosure”.

People can update their products in various ways, Adobe said. Consumers can either wait for the products to detect the update themselves, or give them a nudge by choosing Help/Check for Updates. If you use Acrobat Reader, you can also run the full installer by downloading it from the Acrobat Reader Download Centre, it said.

Admins can perform mass updates in two steps. First, download the enterprise installers from Adobe’s FTP site, and then use your chosen tools, such as SSH sessions into macOS boxes or scheduling Windows updates with Microsoft’s System Center Configuration Manager.