Adobe patches dozens of critical flaws in Acrobat PDF products

Adobe has released a relatively large batch of fixes for its Acrobat and Reader products, plugging up 45 critical flaws and 23 important flaws, making a grand total of 68 flaws. 

Adobe has updates available macOS and Windows systems using Acrobat DC, Acrobat Reader DC, Acrobat 2017, Reader 2017, Acrobat 2015 and Reader 2015. 

The 45 critical flaws would allow arbitrary code execution. “Successful exploitation could lead to arbitrary code execution in the context of the current user,” Adobe warned. 

The big update today follows an absence of patches which usually fall on the same day as Microsoft’s October Patch Tuesday. 

Fortunately, according to Adobe, none of the 68 Acrobat flaws are being actively exploited. Nonetheless the company is advising users and admins to install the updates. 

There’s also one more Adobe Reader-related “important” flaw in the Adobe Download Manager, a tool for assisting downloads for Reader and Flash Player for Windows. The tool had insecure file permissions that could allow an attacker to escalate privileges.     

While of the Acrobat and Reader flaws are critical, it gave the bugs a priority “2” rating for patching. 

Adobe also has security updates available for the Adobe Experience Manager (AEM), its set of products for managing digital content. Multiple important and moderate flaws affect versions 6.5 through to 6.0 of AEM. Updates are available for AEM versions 6.5, 6.4 and 6.3. 

“Successful exploitation could result in unauthorized access to the AEM environment,” Adobe notes.   

The fourth product it has updates for is Adobe Experience Manager Forms, its product for managing and publishing digital forms.

The update addresses a stored cross-site scripting vulnerability that Adobe rated as “important” and “could result in sensitive information disclosure”.