Scroll Top

Security updates for Adobe Acrobat and Reader



Adobe’s first round of security updates for 2019 resolve two critical flaws for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical vulnerabilities, CVE-2018-16011 and CVE-2018-19725.

Successful exploitation of the flaws could lead to arbitrary code execution in the context of the current user.

The first vulnerability, reported by Sebastian Apelt in conjunction with Trend Micro’s Zero Day Initiative and is identified as CVE-2018-16011, is a critical use-after-free flaw that could enable arbitrary code-execution. The vulnerability had been addressed in a separate issue included in a previous Adobe advisory.

Attackers can exploit the flaw by tricking a user into clicking a specially crafted PDF file, which will eventually execute code of their choice with the privileges of the currently logged-in user, allowing attackers to run any malicious software on the victims’ computers without their knowledge.

The second flaw, which was discovered by Abdul Aziz Hariri and is identified as CVE-2018-19725, is a critical security bypass vulnerability that allows privilege escalation. That flaw “is a security feature bypass that would allow a privilege escalation, giving an attacker broader access to the system affected”, according to Chris Goettl, director of product management, security, at Ivanti.

 

Impact

Impacted are Acrobat DC and Acrobat Reader DC versions 2019.010.20064 and earlier; Acrobat 2017 and Acrobat Reader 2017 versions 2017.011.30110 and earlier; and Acrobat DC and Acrobat Reader DC versions 2015.006.30461 and earlier.

The patches are a priority 2, meaning that there are no known exploits for the vulnerabilities; but they exist in products that have historically been “at elevated risk,” according to Adobe.

Adobe recommends users update to Adobe Acrobat and Reader versions 2019.010.20069, Acrobat 2017 and Acrobat Reader 2017.011.30113 and Acrobat DC and Acrobat Reader DC 2015.006.30464.

The patch comes on the heels of a busy December for Adobe. The company patched 87 vulnerabilities for Acrobat and Reader in its December Patch Tuesday update, including a slew of critical flaws that would allow arbitrary code-execution. Beyond that, Adobe Flash had two Zero Day vulnerabilities in late November (CVE-2018-15981) and early December (CVE-2018-15982).

“Between this update and the December APSB18-41, which resolved 87 vulnerabilities, it is recommended to ensure that any Adobe Acrobat and Reader instances are updated in the next two to four weeks,” Goettl told us. “You can also expect an Adobe Flash Player update next week on Patch Tuesday.”

Since the vulnerabilities are now public, threat actors would not leave any opportunity to exploit the issues to target user computers, Mac and Windows computer owners are highly recommended to install patches for the two vulnerabilities as soon as possible.

Adobe typically releases security updates for its software on the second Tuesday of the month, just like Microsoft, so you can expect the company to release regular patch updates for the rest of its software in this month’s release.

Product
Track
Affected Versions
Platform
Acrobat DCContinuous2019.010.20064 and earlier versionsWindows and macOS
Acrobat Reader DCContinuous2019.010.20064 and earlier versionsWindows and macOS
Acrobat 2017Classic 20172017.011.30110 and earlier versionWindows and macOS
Acrobat Reader 2017Classic 20172017.011.30110 and earlier versionWindows and macOS
Acrobat DCClassic 20152015.006.30461 and earlier versionsWindows and macOS
Acrobat Reader DCClassic 20152015.006.30461 and earlier versionsWindows and macOS


Related Posts

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.