Adobe Flash Player once again headlined the company's Patch Tuesday offering, but the seven updates issued for this software were just the tip of the iceberg for the company this month.
Altogether, Adobe issued five security bulletins covering 58 vulnerabilities, all but two of which are considered critical.
Adobe listed seven critical updates for the Windows, Mac, Linux and Chrome versions of Flash Player, CVE-2017-3058, CVE-2017-3059, CVE-2017-3062, CVE-2017-3063, CVE-2017-3060, CVE-2017-3061, and CVE-2017-3064, the first four of which resolve use-after-free vulnerabilities that could lead to code execution. The final three fix memory corruption issues that can also lead to code execution.
The bulk of the updates being issued for April tackle problems within Adobe Acrobat and Reader. The 47 critical flaws cited are for the Windows and Macintosh versions of the software. If left unpatched and exploited, the bugs could lead to code execution or a memory address leak.
Adobe's Photoshop made a rare Patch Tuesday appearance with two problems being cited, CVE-2017-3004 and CVE-2017-3005. The first CVE resolves a memory corruption vulnerability when parsing malicious PCX files that could lead to code execution, while the second update resolves an unquoted search path vulnerability in Photoshop on Windows.
"Today's Adobe release also contains a critical updated for Photoshop (APSB17-12) which is one of the top software used for photo editing and manipulation. An attacker could send a malicious PCX file and take complete control of a user's computer if the file is viewed using Photoshop," said Amol Sarwate, Qualys' director of Engineering.The final Adobe product receiving a fix today is Creative Cloud Desktop Application with CVE-2017-3006 and CVE-2017-3007. These are considered important, but not critical, resolving a vulnerability related to the use of improper resources permissions during the software's installation in the former. The latter instance is related to the directory search path used to find resources that could lead to code execution.