Adobe has released yesterday some security updates for its PDF viewing and editing products, Reader and Acrobat along with its e-reader for books that’s named Adobe Digital Editions. However, even if the Flash update is missing from yesterday’s monthly rollout, Adobe has said that a new version of the new software will be available in the near future.
We remind you that last month Adobe has patched 22 CVEs in its Flash Player and most of them were related to vulnerabilities, use-after-free vulnerabilities and corruption. The patches that Adobe has just released are a bit lighter, which just fixes three flaws in Reader and Acrobat and only a single vulnerability in Digital Editions.
The three vulnerabilities that were fixed in Reader and Acrober, were privately disclosed to Adobe by Zero Day Initiative (aka ZDI), which is a one of the world’s oldest vendor-agnostic bug bounty programs and it is owned by HP.
Two of the three patches (CVE-2016-1009 and CVE-2016-1007) are addressing memory corruption vulnerabilities, while the third one (CVE-2016-1008) fixes a flaw in the director search path. According to Adobe, all three vulnerabilities could have been exploited in order to remotely execute code on compromised computers, but it seems that no hackers were able to use them until the patch was released, so this is good.
Adobe also confirmed that the Adobe Digital Editions vulnerability was also leading to code execution. The company said that versions 4.5.0 are affected and the users should update to 4.5.1 as soon as possible.
With that being said, we are now waiting for Adobe Flash to get updated. Unfortunately, we remind you that the Adobe Flash Player will die sooner or later, as big companies already decided to ditch it in favor of HTML5.
Do you think that Adobe will release a new update for its Flash Player before the end of the week?