Critical Out-of-Band Patch Issued for Adobe Acrobat Reader

2018-09-19T16:54:28
ID THREATPOST:2C665D070DE459709B1E7BE19E1427FE
Type threatpost
Reporter Lindsey O'Donnell
Modified 2018-09-19T16:54:28

Description

Adobe released patches for seven flaws in an unscheduled update for its Acrobat Reader and DC product, which could lead to arbitrary code execution. The patches, released Wednesday, come one week after Adobe’s regularly-scheduled September update.

The flaws addressed include one “critical” vulnerability, an out-of-bounds write flaw (CVE-2018-12848). “Successful exploitation could lead to arbitrary code execution in the context of the current user,” Adobe said in its release.

The remaining six out-of-bounds read vulnerabilities (CVE-2018-12849, CVE-2018-12850, CVE-2018-12801, CVE-2018-12840, CVE-2018-12778, CVE-2018-12775) are rated “important” and could enable information disclosure.

According to Adobe, its newest release impacts Acrobat DC and Acrobat Reader DC for Windows and macOS (versions 2018.011.20058 and earlier; Acrobat 2017 and Acrobat Reader 2017 for Windows and macOS (versions 2017.011.30099 and earlier), and Acrobat DC and Acrobat Reader DC for Windows and macOS (2015.006.30448 and earlier).

All upgrades are rated priority 2, meaning there are no currently known exploits for the vulnerabilities, but Adobe still recommends administrators install the update “soon.”

Two of the flaws (CVE-2018-12778 and CVE- 2018-12775) were anonymously reported via Trend Micro’s Zero Day Initiative. CVE-2018-12801 was discovered by Cybellum Technologies LTD, and four (CVE- 2018-12848, CVE-2018-12849, CVE-2018-12850, CVE-2018-12840) were found by Omri Herscovici through Vulnerability Research Check Point Software Technologies.

Adobe users should update their Acrobat DC and Acrobat Reader DC to version 2018.011.20063; Acrobat 2017 and Acrobat Reader 2017 to version 2017.011.30102; and Acrobat DC and Acrobat Reader DC 2015 to version 2015.006.30452.

Adobe just had its regularly-scheduled update last week, where the company released patches fixing nine flaws in its ColdFusion product – including six critical vulnerabilities that could lead to arbitrary code execution.