Adobe Fixes Two Critical Acrobat and Reader Flaws

Author: Lindsey O'Donnell
minute read
adobe security updates

An unscheduled patch fixed two critical flaws that could enable arbitrary code execution.

Adobe on Thursday released unscheduled security updates for Adobe Acrobat and Reader for Windows and MacOS.

The updates fix two critical vulnerabilities, CVE-2018-16011 and CVE-2018-19725. Successful exploitation of the flaws could lead to arbitrary code execution in the context of the current user.

The first vulnerability, CVE-2018-16011, reported by Sebastian Apelt in conjunction with the Zero Day Initiative, is a critical use-after-free flaw that could enable arbitrary code-execution. The vulnerability had been addressed in a separate issue included in a previous Adobe advisory.

The second flaw, CVE-2018-19725, reported by Abdul Aziz Hariri, is a critical security bypass vulnerability that allows privilege escalation. That flaw “is a security feature bypass that would allow a privilege escalation, giving an attacker broader access to the system affected,” Chris Goettl, director of product management, security, at Ivanti, told Threatpost.

Impacted are Acrobat DC and Acrobat Reader DC versions 2019.010.20064 and earlier; Acrobat 2017 and Acrobat Reader 2017 versions 2017.011.30110 and earlier; and Acrobat DC and Acrobat Reader DC versions 2015.006.30461 and earlier.

The patches are a priority 2, meaning that there are no known exploits for the vulnerabilities; but they exist in products that have historically been “at elevated risk,” according to Adobe.

adobe patch

Adobe recommends users update to Adobe Acrobat and Reader versions 2019.010.20069, Acrobat 2017 and Acrobat Reader 2017.011.30113 and Acrobat DC and Acrobat Reader DC 2015.006.30464.

The patch comes on the heels of a busy December for Adobe. The company patched 87 vulnerabilities for Acrobat and Reader in its December Patch Tuesday update, including a slew of critical flaws that would allow arbitrary code-execution. Beyond that, Adobe Flash had two Zero Day vulnerabilities in late November (CVE-2018-15981) and early December (CVE-2018-15982).

“Between this update and the December APSB18-41, which resolved 87 vulnerabilities, it is recommended to ensure that any Adobe Acrobat and Reader instances are updated in the next two to four weeks,” Goettl told us. “You can also expect an Adobe Flash Player update next week on Patch Tuesday.”

Both flaws were reported through Trend Micro’s Zero Day Initiative.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.