Adobe Security Updates November 2017 has unleashed security patches for most of its major products in its November security updates. Security updates include products, Adobe Flash Player, Adobe Photoshop CC, Adobe InDesign, Adobe Connect, Adobe Acrobat and Reader, Adobe DNG Converter, Adobe Digital Editions, and Adobe shock player. Also, a vulnerability management tool is essential here.
Total of 83 vulnerabilities have been issued with patch, which includes several critical vulnerabilities in Flash Player. Apart from that, 62 vulnerabilities are fixed in Adobe Acrobat and Reader applications. Remaining products have at least one flaw rated as critical. A patch management solution can fix these critical vulnerabilites.
Adobe Security Updates November 2017 details:
APSB17-33 (Adobe Flash Player):
- An Out-of-bounds read vulnerability which leads to remote code execution. (CVE-2017-3112, CVE-2017-3114, CVE-2017-11213)
- An Use after free vulnerability which leads to remote code execution. (CVE-2017-11215, CVE-2017-11225)
- Affected Applications:
Adobe Flash Player Desktop Run time 27.0.0.183 and earlier versions, on Windows, Macintosh, Linux.
Adobe Flash Player for Google Chrome 27.0.0.183 and earlier versions.
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 27.0.0.183 and earlier versions. - Impact: Remote Code Execution.
APSB17-34 (Adobe Photoshop CC):
- Memory corruption vulnerability which leads to remote code execution. (CVE-2017-11303)
- An Use after free vulnerability which leads to remote code execution. (CVE-2017-11304)
- Affected Applications:
Photoshop CC 2017 18.1.1 (2017.1.1) and earlier versions. - Impact: Remote Code Execution.
APSB17-35 (Adobe Connect):
- A Server-Side Request Forgery (SSRF) vulnerability, which leads to network access control bypass. (CVE-2017-11291)
- Multiple Reflected Cross-site Scripting which leads to information disclosure vulnerability. (CVE-2017-11287, CVE-2017-11288, CVE-2017-11289)
- A Clickjacking vulnerability which leads to information disclosure vulnerability. (CVE-2017-11290)
- Affected Applications:
Adobe Connect 9.6.2 and earlier - Impact: Information Disclosure.
APSB17-36 (Adobe Acrobat and Reader):
- Access of Uninitialized Pointer which leads to remote code execution (CVE-2017-16377, CVE-2017-16378)
- Multiple use after free vulnerabilities which leads to remote code execution. (CVE-2017-16360, CVE-2017-16388, CVE-2017-16389, CVE-2017-16390, CVE-2017-16393 and then CVE-2017-16398)
- A Buffer Access with Incorrect Length Value leads to remote code execution (CVE-2017-16381, CVE-2017-16385, CVE-2017-16392, CVE-2017-16395, CVE-2017-16396)
- A buffer over read leads to remote code execution (CVE-2017-16363, CVE-2017-16365, CVE-2017-16374, CVE-2017-16384, CVE-2017-16386 and then CVE-2017-16387)
- A Buffer Overflow/Underflow vulnerability which leads to remote code execution (CVE-2017-16368)
- A Heap Overflow vulnerability which leads to remote code execution (CVE-2017-16383)
- An Improper validation of array index which leads to remote code execution (CVE-2017-16391, CVE-2017-16410)
- Out of bounds read vulnerability which leads to remote code execution (CVE-2017-16362, CVE-2017-16370, CVE-2017-16376, CVE-2017-16382, CVE-2017-16394, CVE-2017-16397, CVE-2017-16399, CVE-2017-16400, CVE-2017-16401, CVE-2017-16402, CVE-2017-16403, CVE-2017-16404, CVE-2017-16405, CVE-2017-16408, CVE-2017-16409, CVE-2017-16412, CVE-2017-16414, CVE-2017-16417, CVE-2017-16418, CVE-2017-16420 and then CVE-2017-11293)
- An Out-of-bounds write which leads to remote code execution (CVE-2017-16407, CVE-2017-16413, CVE-2017-16415, CVE-2017-16416)
- A Security bypass vulnerability which leads to Drive-by-download (CVE-2017-16361, CVE-2017-16366)
- A Security bypass vulnerability which leads to information disclosure (CVE-2017-16369)
- A Security bypass vulnerability which leads to remote code execution (CVE-2017-16380)
- A Stack exhaustion vulnerability which leads to excessive resource consumption (CVE-2017-16419)
- A Type confusion vulnerability which leads to remote code execution (CVE-2017-16367, CVE-2017-16379 and then CVE-2017-16406)
- Untrusted pointer dereference vulnerability which leads to remote code execution (CVE-2017-16364, CVE-2017-16371, CVE-2017-16372, CVE-2017-16373, CVE-2017-16375 and then CVE-2017-16411)
- Affected Applications:
Acrobat 2017, 2017.011.30066 and earlier versions, on Windows and Macintosh
Acrobat Reader 2017, 2017.011.30066 and earlier versions, on Windows and Macintosh
Acrobat XI, 11.0.22 and earlier versions, on Windows and Macintosh
Reader XI, 11.0.22 and earlier versions, on Windows and Macintosh - Impact: Remote Code Execution, Information Disclosure.
APSB17-37(Adobe DNG Converter):
- An Unspecified Memory Corruption Vulnerability (CVE-2017-11295)
- Affected Applications:
Adobe DNG Converter 9.12.1 and earlier versions on Windows. - Impact: Memory Corruption.
- An unspecified memory corruption vulnerability which leads to remote code execution (CVE-2017-11302)
- Affected Applications:
InDesign 12.1.0 and earlier versions on Windows and Macintosh. - Impact: Remote Code Execution.
APSB17-39(Adobe Digital Editions):
- An Unsafe parsing of XML External Entities leads to information disclosure. (CVE-2017-11273)
- Multiple Out-of-bounds read vulnerability leads to memory address disclosure. (CVE-2017-11297, CVE-2017-11298, CVE-2017-11299 and then CVE-2017-11300)
- Memory Corruption vulnerability leads to memory address disclosure. (CVE-2017-11301)
- Affected Applications:
Adobe Digital Editions 4.5.7 on Windows, Linux, and Macintosh. - Impact: Information Disclosure.
- An unspecified memory corruption vulnerability which leads to remote code execution (CVE-2017-11294)
- Affected Applications:
Adobe Shockwave Player 12.2.9.199 and earlier. - Impact: Remote Code Execution.
APSB17-41(Adobe Experience Manager):
- Reflected cross-site scripting vulnerability which leads to information disclosure. (CVE-2017-3109)
- Sensitive token in HTTP GET request which leads to information disclosure. (CVE-2017-3111)
- Cross-site scripting vulnerability which leads to information disclosure (CVE-2017-11296)
- Affected Applications:
Adobe Experience Manager 6.3, 6.2, 6.1, 6.0 - Impact: Information Disclosue
SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.