Adobe on Thursday released unscheduled security updates for Adobe Acrobat and Reader for Windows and MacOS.
The first vulnerability, CVE-2018-16011, reported by Sebastian Apelt in conjunction with the Zero Day Initiative, is a critical use-after-free flaw that could enable arbitrary code-execution. The vulnerability had been addressed in a separate issue included in a previous Adobe advisory.
The second flaw, CVE-2018-19725, reported by Abdul Aziz Hariri, is a critical security bypass vulnerability that allows privilege escalation. That flaw “is a security feature bypass that would allow a privilege escalation, giving an attacker broader access to the system affected,” Chris Goettl, director of product management, security, at Ivanti, told Threatpost.
Impacted are Acrobat DC and Acrobat Reader DC versions 2019.010.20064 and earlier; Acrobat 2017 and Acrobat Reader 2017 versions 2017.011.30110 and earlier; and Acrobat DC and Acrobat Reader DC versions 2015.006.30461 and earlier.
The patches are a priority 2, meaning that there are no known exploits for the vulnerabilities; but they exist in products that have historically been “at elevated risk,” according to Adobe.
Adobe recommends users update to Adobe Acrobat and Reader versions 2019.010.20069, Acrobat 2017 and Acrobat Reader 2017.011.30113 and Acrobat DC and Acrobat Reader DC 2015.006.30464.
The patch comes on the heels of a busy December for Adobe. The company patched 87 vulnerabilities for Acrobat and Reader in its December Patch Tuesday update, including a slew of critical flaws that would allow arbitrary code-execution. Beyond that, Adobe Flash had two Zero Day vulnerabilities in late November (CVE-2018-15981) and early December (CVE-2018-15982).
“Between this update and the December APSB18-41, which resolved 87 vulnerabilities, it is recommended to ensure that any Adobe Acrobat and Reader instances are updated in the next two to four weeks,” Goettl told us. “You can also expect an Adobe Flash Player update next week on Patch Tuesday.”
Both flaws were reported through Trend Micro’s Zero Day Initiative.