Adobe has released a security update for Adobe Digital Editions for Windows, Macintosh, iOS, and Android. This update addresses an XML external entity processing vulnerability rated critical that could lead to information disclosure, out-of-bounds read vulnerabilities that could lead to the disclosure of memory addresses and a memory corruption vulnerability that could lead to the disclosure of memory addresses.
| Product | Version | Platform |
|---|---|---|
| Adobe Digital Editions | 4.5.6 and earlier versions | Windows, Macintosh, iOS and Android |
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
| Product | Version | Platform | Priority | Availability |
| Adobe Digital Editions | 4.5.7 | Windows | 3 | Download Page |
| Macintosh | 3 | Download Page | ||
| iOS | 3 | iTunes | ||
| Android | 3 | Playstore |
Märkus.
- Customers using Adobe Digital Editions 4.5.6 can download the update from the Adobe Digital Editions download page, or utilize the product’s update mechanism when prompted.
- For more information, please reference the release notes.
| Vulnerability Category | Vulnerability Impact | Severity | CVE Numbers |
| Unsafe parsing of XML External Entities | Information Disclosure | Critical | CVE-2017-11273 |
| Out-of-bounds read | Memory address disclosure | Important | CVE-2017-11297 |
| Out-of-bounds read | Memory address disclosure | Important | CVE-2017-11298 |
| Out-of-bounds read | Memory address disclosure | Important | CVE-2017-11299 |
| Out-of-bounds read | Memory address disclosure | Important | CVE-2017-11300 |
| Memory Corruption | Memory address disclosure | Important | CVE-2017-11301 |
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:
- Steven Seeley of Source Incite (CVE-2017-11273)
- Jaanus Kääp, Clarified Security (CVE-2017-11297, CVE-2017-11298, CVE-2017-11299, CVE-2017-11300)
- Riusksk of Tencent Security Platform Department (CVE-2017-11301)