Adobe has patched a number of vulnerabilities in Flash Player and Adobe Experience Manager (AEM) Forms in the company’s latest round of patch updates.
According to the tech giant’s latest security advisory, seven critical issues (CVE-2017-3068, CVE-2017-3069, CVE-2017-3070, CVE-2017-3072, CVE-2017-3073, CVE-2017-3074) have now been resolved in Flash.
Six of the bugs are memory corruption issues and the seventh problem (CVE-2017-3071) is a use-after-free vulnerability.
All of the problems can lead to remote code execution and can be exploited by attackers to hijack user systems through crafted, malicious files and fraudulent web pages.
The updates impact Flash running on Windows, Mac, Linux and the Chrome operating system. Once updated, the most up-to-date version of Flash is version 22.214.171.124.
“Flash has historically been the top target for exploit kits,” Amol Sarwate, director of vulnerability research at Qualyson said. “However, we have observed that defender behavior — how fast patches are applied along with other factors — could have led to a decline in the number of Flash vulnerabilities being weaponised in exploit kits.”
“In 2016, the time to patch 80 percent of Flash vulnerabilities reduced by more than half to 62 days as compared to the previous year when it was 144 days, based on data from more than 3 billion scans carried out last year,” Sarwate added.
Adobe also took the opportunity to resolve a security flaw in Adobe Experience Manager (AEM) Forms on Windows, Linux, Solaris and AIX. The vulnerability, CVE-2017-3067, affects version 6.0, 6.1 and 6.2 and permits attackers to compromise the pre-population service in AEM Forms, resulting in information disclosure.
The bug has been patched by giving administrators new controls to restrict file paths and protocols used to pre-fill forms.
As always, Adobe recommends that the patches be applied immediately.
In March, Adobe resolved six critical flaws in Flash, including a buffer overflow vulnerability and memory corruption flaws.