Adobe on Monday posted its regularly-scheduled October security update addressing 86 vulnerabilities – more than half of which were critical flaws – in Adobe Acrobat and Reader, its set of services to view, create, and manage PDF files.
Up to 47 of the patches addressed critical vulnerabilities allowing arbitrary code execution. That includes 22 out-of-bounds write flaws, seven critical heap overflow glitches, seven use-after-free bugs, three type confusion bugs, three buffer error bugs, three untrusted pointer dereference flaws and a double free vulnerability.
The update also includes a security bypass bug that enables privilege escalation, a flaw (CVE-2018-15966) discovered by Wei Wei of Tencent’s Xuanwu Lab.
The update also addressed 36 out-of-bounds read “important” bugs enabling information disclosure, a stack overflow flaw and two integer overflow glitches.
“Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS,” the company said in a Monday notice. “These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.”
Adobe said it is not aware of any exploits in the wild for any of the issues addressed in these updates.
Impacted are Acrobat DC and Acrobat Reader DC versions 2018.011.20063 and earlier, Acrobat DC and Acrobat Reader DC 2017 versions 2017.011.30102 and earlier; and Acrobat DC and Acrobat Reader DC 2015 versions 2015.006.30452 and earlier – all on Windows and MacOS.
The priority ratings for all impacted versions is “2,” meaning the update resolves vulnerabilities in a product that has historically been at elevated risk, according to Adobe.
Acrobat and DC users can update to versions 2019.008.20071 for the Continuous version, 2017.011.30105 for the Classic 2017 version, and 2015.006.30456 for the Classic 2015 version.
Adobe release both regularly-scheduled as well as unscheduled patches last month. The unscheduled patches, released Sept. 19, came one week after Adobe’s regularly-scheduled September update and also addressed arbitrary code execution flaws in its Acrobat Reader and DC product.
Those flaws in the unscheduled release addressed include one “critical” vulnerability, an out-of-bounds write flaw (CVE-2018-12848). “Successful exploitation could lead to arbitrary code execution in the context of the current user,” Adobe said in its release.