Adobe Systems released security updates for its Flash Player, Adobe Reader, and Acrobat products fixing critical vulnerabilities that could allow attackers to install malware on computers.
The Flash Player update fixes 13 vulnerabilities, 12 that can lead to remote code execution and one that allows attackers to bypass a security restriction and disclose information. Adobe is not aware of any exploit for these flaws existing in the wild.
Users are advised to upgrade to Flash Player version 126.96.36.199 on Windows, Mac, and Linux. The Flash Player plug-in bundled with Google Chrome, Microsoft Edge and Internet Explorer will be automatically upgraded through those browsers’ respective update mechanisms.
The Adobe Reader and Acrobat updates address 29 vulnerabilities, 28 of which can lead to arbitrary code execution. Like with the Flash Player flaws, Adobe is not aware of any of these vulnerabilities being exploited by attackers.
The company advises Acrobat and Reader DC users to upgrade to version 15.023.20053 if they use the “continuous” release track or to version 15.006.30279 if they’re on the “classic” track. Users of the older, but still supported, Acrobat XI and Reader XI should upgrade to version 11.0.19.
Because of their security sandbox which makes exploits significantly harder to implement, Adobe Reader and Acrobat are rarely targeted by hackers today compared to be some years ago.
However, Flash Player remains a hacker favourite, with zero-day attacks against it being relatively common and with exploits being integrated into widely used Web-based attack tools.