Adobe conducted a large-scale rollout of security updates for a variety of its products for February Patch Tuesday, including a critical patch for Flash Player that if exploited could result in arbitrary code execution in the context of the current user.
Joining Adobe Flash Player in receiving security updates are Framemaker, Acrobat Reader and DC, Digital Editions and Experience Manager.
The company listed CVE-2020-3757 as a critical type confusion vulnerability for Flash Player for Windows, Mac and Linux, although it noted that the issue is not being exploited in the wild at this time. A patch is available.
Framemaker’s updates patch 21 critical CVEs covering a buffer error, heap overflow, memory corruption and out-of-bounds write flaws, all of which can lead to arbitrary code execution if left unpatched and are exploited.
Reader and Reader DC combined had 12 critical, three important and two moderate-rated issues. The most pressing problems center on heap overflow, buffer error, privilege escalation and use after free vulnerabilities potentially leading to arbitrary code execution if left unpatched.
Adobe Digital Edition had patches issued for the critical, CVE-2020-3760, and important-rated, CVE-2020-3759. The former is a command injection problem that could lead to arbitrary code execution and the latter is a buffer error that could result in information disclosure.
Experience Manager had the lone important-rated CVE-2020-3741 patched. If left as is this could lead to a denial of service condition due to an uncontrolled resource consumption problem.