Adobe’s scheduled updates for April 2019 have now rolled out. Allegedly, this update brings fixes for multiple security vulnerabilities in Adobe Reader, Flash, and numerous other products. The Adobe April Patch Tuesday updates are important in that they address numerous critical security flaws.
Adobe Products Flooded With Multiple Security Vulnerabilities
Adobe Patch Tuesday update bundle focused on fixing multiple critical security vulnerabilities in different Adobe products. Here is a breakdown of the patches.
With April updates, Adobe fixed multiple flaws in Adobe Reader and Acrobat DC. The updates specifically fixed 11 critical and 10 important vulnerabilities affecting Adobe Reader and Acrobat for Windows and MacOS.
As explained in their advisory, the critical ones included 5 out-of-bounds write vulnerabilities, 2 type confusion flaws, 2 use after free flaws, and 2 heap overflow bugs. All of these could lead to arbitrary code execution upon successful exploitation. Whereas, the important flaws include 10 out-of-bounds read vulnerabilities that could result in information disclosure. Adobe released the patches in the following software versions.
- Acrobat DC and Acrobat Reader DC (continuous track) version 2019.010.20099
- Adobe Acrobat 2017 and Acrobat Reader DC 2017 (Classic 2017) version 2017.011.30138
- Acrobat DC and Acrobat Reader DC (Classic 2015) version 2015.006.30493
In addition, Adobe rolled-out fixes for Adobe Shockwave Player for Windows with version 188.8.131.52. As mentioned in their advisory, the new software version patches 7 critical memory corruption vulnerabilities. Upon exploit by an attacker, all of these could result in arbitrary code execution.
Adobe also fixed 8 security flaws in Adobe Bridge CC for Windows and MacOS with version 9.0.3. These include 2 different critical remote code execution flaws, and 6 important information disclosure vulnerabilities. Adobe has described these flaws in its advisory.
Other Fixes In Adobe April Patch Tuesday
Apart from the above-mentioned products carrying multiple fixes, Adobe Patch Tuesday for April also addresses other products with lesser vulnerabilities. These include 2 critical path traversal vulnerabilities in Adobe XD for MacOS. Exploiting these flaws could result in arbitrary code execution.
Moreover, the update also addressed a critical arbitrary code execution and an important information disclosure flaw in Adobe Flash Player, a critical unsafe hyperlink processing flaw in Adobe InDesign leading to arbitrary code execution, an important stored cross-site scripting vulnerability disclosing sensitive information in Adobe Experience Manager Forms, and a moderate-severity insecure protocol implementation bug in Adobe Dreamweaver.
The recent updates, unlike March Patch Tuesday, did not address any flaws in Adobe Photoshop and Digital Editions. In the previous month, Adobe released a shorter update with patches for only two vulnerabilities.