Adobe Security Bulletin

Security update available for Adobe Digital Editions

Release date: December 13, 2016

Vulnerability identifier: APSB16-45

Priority: 3

CVE numbers: CVE-2016-7888, CVE-2016-7889

Platform: Windows, Macintosh and Android

Summary

Adobe has released a security update for Adobe Digital Editions for Windows, Macintosh and Android. This update resolves an important vulnerability that could result in a memory address leak, and an important XML parsing vulnerability that could lead to information disclosure.

Affected versions

Product Affected version Platform
Adobe Digital Editions 4.5.2 and earlier versions Windows, Macintosh and Android

Solution

Adobe categorizes this update with the following priority ratings and recommends users update their installation to the newest version:

Product Updated version Platform Priority rating Availability
    Windows
3 Download Page
Adobe Digital Editions 4.5.3 Macintosh 3 Download Page
    Android 3 Playstore

Customers using Adobe Digital Editions 4.5.2 can download the update from the Adobe Digital Editions download page, or utilize the product’s update mechanism when prompted.

For more information, please reference the release notes.

Vulnerability Details

  • This update resolves a vulnerability that could lead to a memory address leak (CVE-2016-7888).
  • This update resolves an issue associated with parsing crafted XML entities that could lead to information disclosure (CVE-2016-7889).

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

  • Steven Seeley of Source Incite working with Trend Micro's Zero Day Initiative (CVE-2016-7888)
  • Craig Arendt (CVE-2016-7889)