The Adobe Flash Player steps again into the spotlight with its great updates. However, the 7 updates released for the software were only a small part of the changes brought by the company in April. All in all, Adobe released 5 security bulletins, meaning that they took care of 58 vulnerabilities. Only 2 of them were considered critical.
There were 7 critical updates for Flash Player on Mac, Windows, Linux and Chrome, namely CVE-2017-3058, CVE-2017-3059, CVE-2017-3062, CVE-2017-3063 (these ones addressing use-after-free type of vulnerabilities that may even allow code execution), CVE-2017-3060, CVE-2017-3061, and CVE-2017-3064. The latter refer to some memory corruption issues that may also allow code execution.
Addressing Critical Issues
The batch of updates that were released in April approach the problems signaled with Adobe Acrobat and Reader. All 47 critical issues appear both on Mac and Windows versions, and if the team wouldn’t deal with them, the bugs can even lead, as mentioned above, to code execution and memory address leaks.
The Photoshop software from Adobe surprised everyone with its presence on the Patch Tuesday. As it seems, there were two problems with it, the CVE-2017-3004 and CVE-2017-3005. The first one deals with a memory corruption issue that appeared when parsing malicious PCX files (which could also lead to code execution). The second update addresses a search path vulnerability that appeared in Photoshop on the Windows version.
AmolSarwate, who is the Qualys’ director of Engineering, declared that an attacker could have exploited the Photoshop vulnerability and send a malicious PCX file, thus gaining complete control over a user’s computer if they opened the file with Photoshop.
The last Adobe product that got an update is the Creative Cloud Desktop Application. This presented the CVE-2017-3006 and CVE-2017-3007 issues, which were not critical.