Adobe Security Bulletin

Security update available for Adobe Digital Editions

Release date: February 14, 2017

Last updated date: February 17, 2017

Vulnerability identifier: APSB17-05

Priority: 3

CVE numbers: CVE-2017-2973, CVE-2017-2974, CVE-2017-2975, CVE-2017-2976, CVE-2017-2977, CVE-2017-2978, CVE-2017-2979, CVE-2017-2980, CVE-2017-2981    

Platform: Windows, Macintosh, iOS and Android

Summary

Adobe has released a security update for Adobe Digital Editions for Windows, Macintosh, iOS and Android. This update resolves a critical heap buffer overflow vulnerability that could lead to code execution and important buffer overflow vulnerabilities that could lead to a memory leak.

Affected versions

Product Affected version Platform
Adobe Digital Editions 4.5.3 and earlier versions Windows, Macintosh, iOS and Android

Solution

Adobe categorizes this update with the following priority ratings and recommends users update their installation to the newest version:

Product Updated version Platform Priority rating Availability
    Windows
3 Download Page
Adobe Digital Editions 4.5.4 Macintosh 3 Download Page
    iOS 3 iTunes
    Android 3 Playstore

Customers using Adobe Digital Editions 4.5.3 can download the update from the Adobe Digital Editions download page, or utilize the product’s update mechanism when prompted.

For more information, please reference the release notes.

Vulnerability Details

  • This update resolves a vulnerability that could lead to a heap buffer overflow vulnerability that could lead to code execution (CVE-2017-2973). 
  • This update resolve buffer overflow vulnerabilities that could lead to a memory leak (CVE-2017-2974, CVE-2017-2975, CVE-2017-2976, CVE-2017-2978, CVE-2017-2977, CVE-2017-2979, CVE-2017-2980, CVE-2017-2981).

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

  • Steven Seeley of Source Incite working with Trend Micro's Zero Day Initiative (CVE-2017-2974, CVE-2017-2975, CVE-2017-2976, CVE-2017-2977, CVE-2017-2978, CVE-2017-2979, CVE-2017-2981). 
  • Steven Seeley of Source Incite (CVE-2017-2980).
  • Ke Liu of Tencent's Xuanwu LAB (CVE-2017-2973).

Revisions

February 17, 2017: Added release details of iOS platform.