Adobe Systems released critical security updates for several products Tuesday in order to fix vulnerabilities that could allow attackers to take remote control of systems running the vulnerable software.
The products that received security patches were Flash Player, the Adobe AIR SDK (software development kit) and Compiler for building rich Internet applications, Adobe Reader, Adobe Acrobat, and Adobe Illustrator for CS6 (Creative Suite 6).
While security updates for Flash Player, AIR, Reader and Acrobat are released on a monthly basis, security patches for Illustrator, especially critical ones, are rare, the previous one being released two years ago.
In a security advisory Adobe said that the new Illustrator hotfix addresses a vulnerability that could be exploited to gain remote code execution on the affected system, but didn’t specify how. The company recommends that users of Adobe Illustrator on Windows and Mac upgrade to the newly released 16.2.2 or 16.0.5 versions, depending on whether they’re on a subscription or not.
The new Flash Player versions released Tuesday, 188.8.131.52 for Windows and Mac and 184.108.40.2069 for Linux, fix a total of six vulnerabilities. One of them, identified as CVE-2014-0510, could result in arbitrary code execution and was demonstrated by members of Keen Team and Team 509 during the Pwn2Own hacking competition in March.
One of the other patched vulnerabilities could be exploited to bypass the same origin policy, an important security feature that prevents content loaded from different websites from interacting with each other, and the remaining four could be used to bypass different security protections in the program.
The Flash Player versions distributed with Google Chrome, Internet Explorer 10 and Internet Explorer 11 will automatically be updated through the update mechanisms of those browsers.
The same vulnerabilities were also fixed in the newly released Adobe AIR 220.127.116.11 SDK and Adobe AIR 18.104.22.168 SDK and Compiler, which bundle Flash Player.
Adobe Reader and Acrobat X and XI were updated to versions 11.0.07 and 10.1.10 in order to fix ten remote code execution flaws, one sandbox bypass and one information disclosure vulnerability. One remote code execution flaw, CVE-2014-0511, and the sandbox bypass, CVE-2014-0512, were used by a team from French vulnerability research firm Vupen during the Pwn2Own contest.
The Adobe Reader and Flash security updates received a priority rating of 1 from Adobe. This indicates that the company considers them to be easily exploitable once the patches have been reverse engineered, said Wolfgang Kandek, the chief technology officer at Qualys, via email. “Note that Adobe also does not provide patches for Windows XP anymore.”