Adobe on Tuesday released three patches – including a fix for a flaw in Adobe Acrobat and Reader that exposes hashed passwords that already has a proof-of-concept (PoC) exploit code publicly available.
The information disclosure vulnerability, CVE-2018-15979, exists in Adobe Acrobat and Reader for Windows and was reported by the EdgeSpot team.
“Successful exploitation could lead to an inadvertent leak of the user’s hashed NTLM password,” said Adobe, in its release. NTLM is the authentication protocol used on networks that include systems running the Windows operating system and on standalone systems.
While no further information about the PoC was revealed, Adobe said the attack allows bad actors to redirect a user to a malicious resource outside their organization to obtain the NTLM authentication messages.
The vulnerability is “important” in severity, and the update has a “Priority 1” rating, meaning that it “resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform,” according to Adobe.
Impacted versions include Acrobat DC and Reader DC 2019.008.20080 and earlier versions; Acrobat Classic and Reader Classic 2017.011.30105 and earlier versions; and Acrobat DC Classic and Acrobat Reader DC Classic 2015.006.30456 and earlier versions.
Overall, only three patches were released as part of Adobe’s regularly-scheduled November update – compared to last month’s 47. All three fix information-disclosure issues.
One of these updates addresses a flaw in Adobe Flash Player. The vulnerability, CVE-2018-15978, exists in Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 – all versions 184.108.40.206 and earlier.
“These updates address an important vulnerability in Adobe Flash Player 220.127.116.11 and earlier versions,” said Adobe in its update. “Successful exploitation could lead to information disclosure.”
Finally, the company released an update for an “important” flaw in Adobe Photoshop CC for Windows and MacOS.
That flaw, CVE- 2018-15980, exists in Photoshop CC 19.1.6 and earlier 19.x versions. It was discovered by Trend Micro’s Zero Day Initiative.
These other two fixes released were also rated “important.” However, Adobe said that it was not aware of any exploits existing that relate to these vulnerabilities.