a large-scale rollout of security updates for a variety of its products for February
Patch Tuesday, including a critical patch for Flash Player that if exploited could
result in arbitrary code execution in the context of the current user.
Adobe Flash Player in receiving security updates are Framemaker, Acrobat Reader
and DC, Digital Editions and Experience Manager.
listed CVE-2020-3757 as a critical type confusion vulnerability for Flash
Player for Windows, Mac and Linux, although it noted that the issue is not
being exploited in the wild at this time. A patch
updates patch 21 critical CVEs covering a buffer error, heap overflow, memory
corruption and out-of-bounds write flaws, all of which can lead to arbitrary
code execution if left unpatched
and are exploited.
Reader DC combined had 12 critical, three important and two moderate-rated
issues. The most pressing problems center on heap overflow, buffer error, privilege
escalation and use after free vulnerabilities potentially leading to arbitrary
code execution if left unpatched.
Edition had patches
issued for the critical, CVE-2020-3760, and important-rated, CVE-2020-3759. The former is a command injection problem
that could lead to arbitrary code execution and the latter is a buffer error
that could result in information disclosure.
Manager had the lone important-rated CVE-2020-3741 patched.
If left as is this could lead to a denial of service condition due to an uncontrolled
resource consumption problem.