Adobe issued security updates for Flash Player, Acrobat, Reader, and XMP Toolkit for Java, to address multiple critical vulnerabilities.
This month, 52 security bugs ended up fixed in Flash Player, including vulnerabilities under attack or have a higher risk of being a target.
Adobe Flash Player 18.104.22.168 and Flash Player Extended Support Release 22.214.171.1246 for Windows and Mac, Adobe Flash Player for Linux 126.96.36.1992 resolve these issues.
The vulnerabilities also ended up fixed in version 188.8.131.52 of Adobe Flash Player for Google Chrome for Windows, Macintosh, Linux and ChromeOS and of Adobe Flash Player for Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1.
The update fixes type confusion flaws (CVE-2016-4223, CVE-2016-4224, CVE-2016-4225), use-after-free bugs (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4248), a heap buffer overflow vulnerability (CVE-2016-4249), stack corruption issues (CVE-2016-4176, CVE-2016-4177), and 33 memory corruption vulnerabilities that could lead to code execution.
Adobe also mitigated a race condition vulnerability that could lead to information disclosure (CVE-2016-4247), a memory leak vulnerability (CVE-2016-4232), and a security bypass vulnerability that could lead to information disclosure (CVE-2016-4178) in Flash Player.
As always, users should update the runtime via the official channels to stay protected.
For Acrobat and Reader, there were 30 security flaws for Windows and Mac OS X, most of which could result in code execution and could potentially allow an attacker to take control of the affected system.
The new patches are available for the Continuous and Classic tracks, as well as for Acrobat XI and Reader XI releases.
Acrobat DC and Acrobat Reader DC version 15.017.20050 (Continuous track) and 15.006.30198 (Classic track) and Acrobat XI and Reader XI version 11.0.17 (Desktop track) resolve the issues. Although there are currently no known exploits for these flaws, users are advised to update their software as soon as possible to stay protected.
The security update released for Adobe XMP Toolkit for Java resolves a vulnerability associated with the parsing of crafted XML external entities in XMPCore that could lead to information disclosure (CVE-2016-4216). Discovered by Tim Allison of the MITRE corporation, the flaw ended up resolved in version 5.1.3 of the product, Adobe said.