Adobe has patched 87 vulnerabilities for Acrobat and Reader in its December Patch Tuesday update, including a slew of critical flaws that would allow arbitrary code-execution.
The scheduled update comes less than a week after Adobe released several out-of-band fixes for Flash Player, including a critical vulnerability (CVE-2018-15982) that it said is being exploited in the wild. That’s a use-after-free flaw enabling arbitrary code-execution in Flash.
Critical Code-Execution Flaws
The addressed critical vulnerabilities are myriad this month. The arbitrary code-execution problems include: two buffer errors; two untrusted pointer dereference glitches; three heap-overflow issues, five out-of-bounds write flaws, 24 use-after-free bugs. Adobe also patched three other critical-rated issues that could lead to privilege escalation; these are all security bypass problems.
Important Information Disclosure Flaws
In addition to the critical bugs, Adobe also patched 43 out-of-bounds read flaws, four integer overflow problems and two security bypass issues, all of which could allow information disclosure.
The company didn’t release specific details on any of the flaws, but Threatpost will update this page with any additional aspects or additional commentary that we uncover.
Adobe has characterized all of the flaws, both critical and important, as “priority two” for patching, which means that the software giant deems them to be unlikely to be imminently exploited in the wild, but patching within 30 days is recommended.
The flaws are far-reaching and affect various implementations of Acrobat DC, Acrobat Reader DC, Acrobat 2017 and Acrobat Reader 2017 for macOS and Windows, in classic 2015, classic 2017 and continuous-track versions. All can be mitigated by updating to the most current versions of the software.
“New versions of Acrobat and Reader were released today that fix 87 separate vulnerabilities. It might seem like a lot, but it’s not unusual as Acrobat releases go,” said Greg Wiseman, senior security researcher, Rapid7, in an email. “The massive attack surface represented by Acrobat and Reader makes it crucial to stay up-to-date.”
Tyler Reguly, manager of software development at Tripwire, told Threatpost that he had a different take.
“The biggest thing that stands out to me is that in 63 days, Adobe has patched, based on my count, 176 vulnerabilities in Adobe Reader and Acrobat,” he said. “That is roughly 2.8 vulnerabilities per day. Unfortunately, Adobe security never seems to improve, it just tows the line and continues to contain high vulnerability accounts. To some extent, modern operating systems have removed our reliance on Adobe Reader / Acrobat, just as HTML5 has removed our reliance on Adobe Flash… but these are places where historically Adobe had something close to a monopoly, so the technologies are still heavily ingrained in enterprises. Then again, you have to wonder is the quantity of vulnerabilities contained within Adobe products due to a flaw within their development or is it simply an artifact of their popularity, as is the case with so many other operating systems and applications. If another product were to replace them in popularity, would we see the CVE counts start to shift?”