Adobe Patches 34 More Bugs In Flash

The August patch haul is a marginal improvement over the 36 security vulnerabilities that Adobe patched in the July patch update, though the firm did have to patch an additional two zero-day flaws days after that update was released to deal with issues identified in the recent Hacking Team breach.

As opposed to the two issues fixed after the Hacking Team breach, which were being actively exploited, Adobe has stated that it is not aware of any exploits in the wild for any of the 34 issues addressed in the August update.

Project Zero

In July, the primary source of bug reporting to Adobe for Flash came by way of Google’s Project Zero initiative, which responsibly disclosed 20 vulnerabilities. For the August patch haul, Adobe credits Google Project Zero researchers for reporting 23 bugs.

Google has also been working with Adobe to prevent future exploits via a number of security mitigations that Adobe has already implemented.

“For Flash Player, we put the vector mitigation technologies into the last update,” Adobe spokesperson Wiebke Lips told eWEEK. “So those mitigations should help significantly.”

While Adobe is patching Flash today, it isn’t patching its Adobe Reader PDF application. That’s despite the fact that at the DefCon security conference in Las Vegas on Aug. 9, Brian Gorenc, manager of vulnerability research at HP’s Zero Day Initiative (ZDI), discussed multiple sets of vulnerabilities in Adobe Reader, including a set of CVEs related to JavaScript APIs in Reader.

Gorenc noted that Adobe has patched many of the issues that it has submitted so far. ZDI has submitted approximately 100 vulnerabilities to Adobe for Reader in 2015, according to Gorenc.

Adobe patches Reader on a quarterly basis, while HP has a responsible disclosure policy that gives vendors up to four months to patch a vulnerability before HP publicly discloses any issue. Given the highly efficient nature of Adobe’s security organization, it’s very likely that all of the issues that HP has found will be patched inside of the four-month timeline.

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago