Adobe Patch Tuesday: Fixes for Critical Acrobat and Reader Flaws

Adobe’s August Patch Tuesday release impacts Flash Player, and Acrobat DC and Reader.

Adobe has released 11 total fixes for an array of products during today’s Patch Tuesday release, including two critical patches for Acrobat and Reader.

This month’s release comes on the heels of Adobe fixing a whopping 112 vulnerabilities in its July Patch Tuesday release last month, including issues in Flash Player, Acrobat and Reader, Experience Manager and Adobe Connect.

Topping the list at this month’s Patch Tuesday updates are two critical fixes for Adobe Acrobat and Reader for Windows and MacOS. Exploitation of the vulnerabilities could lead to arbitrary code execution in the context of the current user.

CVE-2018-12808 is an out-of-bounds write flaw, while CVE-2018-12799 is an untrusted pointer dereference vulnerability, the advisory noted.

Impacted products include Acrobat DC and Acrobat Reader DC versions 2018.011.20055 and earlier; Acrobat 2017 and Acrobat Reader Classic 2017 versions 2017.011.30096 and earlier; and Acrobat DC and Acrobat Reader DC Classic 2015 versions 2015.006.30434 and earlier. All product updates have a priority rating of 2, said Adobe, meaning that “the update resolves vulnerabilities in a product that has historically been at elevated risk.”

Adobe hasn’t seen any exploits in the wild, but to avoid potential attacks, the vendor said that users should update to versions 2018.011.20058 for Acrobat DC and Reader DC; 2017.011.30099 for Acrobat and Reader Classic 2017; and 2015.006.30448 for Acrobat DC Classic 2015.

Also included in the release are security updates for five other vulnerabilities that are rated important, impacting Adobe Flash Player Desktop Runtime (on Windows, macOS, and Linux); Adobe Flash Player for Google Chrome (on Windows, macOS, Linux and ChromeOS); and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (for Windows 10 and 8.1), all for versions 30.0.0.134 and earlier.

The flaws (CVE-2018-12828, CVE-2018-12827, CVE-2018-12826, CVE-2018-12825 and CVE-2018-12824) could lead to arbitrary code execution – although no exploits have been discovered yet in the wild. All are information disclosure bugs, except for CVE-2018-12828, which is a privilege escalation flaw that leads to remote code execution, said Adobe.

Adobe recommended that users update to version 30.0.0.154 for all impacted versions, which all are listed as priority 2 – except Adobe Flash Player Desktop Runtime for Linux, which was given a lower priority 3, meaning the “update resolves vulnerabilities in a product that has historically not been a target for attackers.”

Adobe also addressed three “moderate” vulnerabilities in its Adobe Experience Manager, versions 6.0 to 6.4.

The flaws (CVE- 2018-12806, CVE- 2018-12807, CVE- 2018-5005) are a reflected cross-site scripting (CSS) vulnerability that could result in sensitive information disclosure; one input validation bypass vulnerability that could allow unauthorized information modification; and another CSS vulnerability that also could result in sensitive information disclosure.

Finally, the company issued a patch for an important-rated insecure library-loading vulnerability in the Creative Cloud Desktop Application (CVE-2018-5003), which exists in the installer. It could lead to privilege escalation. Impacted versions include versions 4.5.0.324 and earlier, for Windows.

Suggested articles