Adobe’s first round of security updates for 2019 resolve two critical flaws for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical vulnerabilities, CVE-2018-16011 and CVE-2018-19725.
Successful exploitation of the flaws could lead to arbitrary code execution in the context of the current user.
The first vulnerability, reported by Sebastian Apelt in conjunction with Trend Micro’s Zero Day Initiative and is identified as CVE-2018-16011, is a critical use-after-free flaw that could enable arbitrary code-execution. The vulnerability had been addressed in a separate issue included in a previous Adobe advisory.
Attackers can exploit the flaw by tricking a user into clicking a specially crafted PDF file, which will eventually execute code of their choice with the privileges of the currently logged-in user, allowing attackers to run any malicious software on the victims’ computers without their knowledge.
The second flaw, which was discovered by Abdul Aziz Hariri and is identified as CVE-2018-19725, is a critical security bypass vulnerability that allows privilege escalation. That flaw “is a security feature bypass that would allow a privilege escalation, giving an attacker broader access to the system affected”, according to Chris Goettl, director of product management, security, at Ivanti.
Impact
Impacted are Acrobat DC and Acrobat Reader DC versions 2019.010.20064 and earlier; Acrobat 2017 and Acrobat Reader 2017 versions 2017.011.30110 and earlier; and Acrobat DC and Acrobat Reader DC versions 2015.006.30461 and earlier.
The patches are a priority 2, meaning that there are no known exploits for the vulnerabilities; but they exist in products that have historically been “at elevated risk,” according to Adobe.
Adobe recommends users update to Adobe Acrobat and Reader versions 2019.010.20069, Acrobat 2017 and Acrobat Reader 2017.011.30113 and Acrobat DC and Acrobat Reader DC 2015.006.30464.
The patch comes on the heels of a busy December for Adobe. The company patched 87 vulnerabilities for Acrobat and Reader in its December Patch Tuesday update, including a slew of critical flaws that would allow arbitrary code-execution. Beyond that, Adobe Flash had two Zero Day vulnerabilities in late November (CVE-2018-15981) and early December (CVE-2018-15982).
“Between this update and the December APSB18-41, which resolved 87 vulnerabilities, it is recommended to ensure that any Adobe Acrobat and Reader instances are updated in the next two to four weeks,” Goettl told us. “You can also expect an Adobe Flash Player update next week on Patch Tuesday.”
Since the vulnerabilities are now public, threat actors would not leave any opportunity to exploit the issues to target user computers, Mac and Windows computer owners are highly recommended to install patches for the two vulnerabilities as soon as possible.
Adobe typically releases security updates for its software on the second Tuesday of the month, just like Microsoft, so you can expect the company to release regular patch updates for the rest of its software in this month’s release.
Product | Track | Affected Versions | Platform |
|---|---|---|---|
| Acrobat DC | Continuous | 2019.010.20064 and earlier versions | Windows and macOS |
| Acrobat Reader DC | Continuous | 2019.010.20064 and earlier versions | Windows and macOS |
| Acrobat 2017 | Classic 2017 | 2017.011.30110 and earlier version | Windows and macOS |
| Acrobat Reader 2017 | Classic 2017 | 2017.011.30110 and earlier version | Windows and macOS |
| Acrobat DC | Classic 2015 | 2015.006.30461 and earlier versions | Windows and macOS |
| Acrobat Reader DC | Classic 2015 | 2015.006.30461 and earlier versions | Windows and macOS |
