Adobe fixed a slew of critical vulnerabilities in its Flash Player and Acrobat products as part of its regularly scheduled update on Tuesday morning.
Overall, the company issued a 112 fixes for vulnerabilities in its products spanning from Flash Player (two bugs), Acrobat and Reader (104 bugs), and Experience Manager (three bugs), to Adobe Connect (three bugs). While Acrobat products contained the bulk of these vulnerabilities, Flash Player also had a notable critical arbitrary code execution bug (CVE-2018-5007).
The two Flash Player bugs were addressed by Adobe and tied to various versions of player – including a critical arbitrary code execution bug (CVE-2018-5007) and an important information disclosure out-of-bounds read bug (CVE-2018-5008). Impacted are versions 30.0.0.113 and earlier for Adobe Flash Player Desktop Runtime in Windows, MacOS, and Linux; Adobe Flash Player for Google Chrome for Windows, MacOS, Chrome OS and Linux; and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1.
Users of are urged to update to version 30.0.0.134 using various installation methods, including the Flash Player Download Center, said Adobe.
Overall, 104 vulnerabilities were patched in Adobe Acrobat and Reader PDF products, including 53 critical bugs and 51 vulnerabilities rated important. Impacted are Acrobat DC and Acrobat Reader DC versions 2018.011.20040 and earlier versions; Acrobat 2017 and Acrobat Reader DC 2017 2017.011.30080 and earlier versions; and Acrobat DC and Acrobat Reader DC versions 2015.006.30418 and earlier versions. All impacted versions are available for both Windows and macOS, said Adobe.
“Adobe released a number of patches that affect all versions of Adobe Acrobat, Continuous, Classic 2017 and Classic 2015 on both Windows and Mac,” Allan Liska, threat intelligence analyst at Recorded Future, told Threatpost.
“There are a number of different vulnerabilities that allow for remote code execution and one vulnerability that allows for privilege escalation, these vulnerabilities allow to embed a malicious JavaScript inside an Adobe Acrobat file, when the file is opened the JavaScript executes a command or downloads a loader,” he said. “If an attacker combines both the remote code execution and the privilege escalation then the command can be run as administrator, give the attacker full control over the victim’s machine.”
The critical bugs include arbitrary code execution bugs such as a double free vulnerability (CVE-2018-12782), 14 heap overflow bugs, 13 use-after-free bugs, 13 out-of-bounds write vulnerabilities, and three type confusion bugs.
A critical security bypass privilege escalation bug (CVE-2018-12802) was also addressed for Acrobat products.
Adobe also released patches for three vulnerabilities in its Adobe Connect presentation software, for versions 9.7.5 and earlier, rated important. The update resolves an authentication bypass vulnerability (CVE-2018-4994) “which could result in sensitive information disclosure if successfully exploited,” Adobe said.
The update also addresses an important session management vulnerability (CVE-2018-12804) due to inadequate validation of Connect meeting session tokens. Also “the Connect add-in installer prior to 9.7 insecurely loads DLL files (CVE-2018-12805), which could be abused to escalate local privileges,” said Adobe.
Adobe also patched three vulnerabilities rated important in its Experience Manager enterprise CMS product, impacting versions 6.0 to 6.4. All three were Sensitive Information Disclosure bugs.
Adobe only fixed four vulnerabilities in its June Patch Tuesday update.