9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.045 Low
EPSS
Percentile
91.5%
Adobe has released August 2018 security patch updates for a total of 11 vulnerabilities in its products, two of which are rated as critical that affect Adobe Acrobat and Reader software.
The vulnerabilities addressed in this month updates affect Adobe Flash Player, Creative Cloud Desktop Application, Adobe Experience Manager, Adobe Acrobat and Reader applications.
None of the security vulnerabilities patched this month were either publicly disclosed or found being actively exploited in the wild.
Security researchers from Trend Micro’s Zero Day Initiative and Cybellum Technologies have discovered and reported two critical arbitrary code execution vulnerabilities respectively in Acrobat DC and Acrobat Reader DC for Windows and macOS.
According to the Adobe advisory, the flaw (CVE-2018-12808) reported by Cybellum Technologies is an out-of-bounds write flaw, whereas the bug (CVE-2018-12799) reported by Zero Day Initiative is an untrusted pointer dereference vulnerability.
The latest version of Adobe Flash Player application, i.e., 30.0.0.154, patches a total of five vulnerabilities, including four important information disclosure bugs and one non-critical remote code execution issue.
The remote code execution bug is a privilege escalation issue reported by Kai Song from Tencent, which leads to arbitrary code execution, but has been considered “important” by the company.
All five vulnerabilities affect desktop runtime and Google Chrome versions of Flash Player for Windows, macOS, Linux, and Chrome OS.
The company has also released security patches for its enterprise content management solution, Adobe Experience Manager, to address two cross-site scripting (XSS) vulnerabilities and one input validation bypass flaw.
The XSS flaws could result in information disclosure, while the input validation bypass bug could allow an attacker to modify information.
All the three vulnerabilities have been rated as “moderate” in severity, and affect Experience Manager for all platforms, and users are advised to download the latest version from here as soon as possible.
Adobe has also patched an important privilege escalation flaw (CVE-2018-5003) in the Creative Cloud Desktop Application installer for Windows.
The vulnerability, which has been patched in the latest version 4.5.5.342, originates from the insecure loading of libraries, leading to DLL hijacking attacks.
Adobe recommends end users and administrators to download and install the latest security patches as soon as possible.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.045 Low
EPSS
Percentile
91.5%