Adobe released patches for two bugs rated “important” in its Adobe Digital Edition and Adobe Connect products.
The two important vulnerabilities, patched Tuesday, include an information disclosure bug in Adobe’s ebook reader software program, Digital Edition; as well as a session token exposure bug in its presentation and web conferencing software, Adobe Connect.
The “important” out of bounds read bug, CVE-2018-12817, is an information disclosure vulnerability impacting Adobe Digital Edition versions 4.5.9 and earlier, for Windows, macOS, iOS and Android. Jaanus Kääp of Clarified Security was credited with discovering the issue.
“Adobe has released a security update for Adobe Digital Editions,” according to Adobe’s release. “This update resolves an important vulnerability. Successful exploitation could lead to information disclosure in the context of the current user.”
Users are urged to update Adobe Digital Editions to 4.5.10 in a priority 3 update – meaning that it “resolves vulnerabilities in a product that has historically not been a target for attackers” according to Adobe.
The other bug, an “important” session token exposure glitch in Adobe Connect, (CVE-2018-19718) could enable exposure of the privileges granted to a session. Impacted are Adobe Connect versions 9.8.1 and earlier on all platforms. Users are urged to update to Adobe Connect 10.1 in a priority 3 update.
Adobe said that it is not aware of current exploits for either of these vulnerabilities.
The update comes on the heels of a slew of unscheduled fixes for Adobe Acrobat and Reader for Windows and MacOS last week. The updates fixed two critical vulnerabilities, CVE-2018-16011 and CVE-2018-19725. Successful exploitation of the flaws could lead to arbitrary code execution in the context of the current user.
The patch also comes on the heels of a busy December for Adobe. The company patched 87 vulnerabilities for Acrobat and Reader in its December Patch Tuesday update, including a slew of critical flaws that would allow arbitrary code-execution.
“Closing out 2018, Adobe Flash had two Zero Day vulnerabilities in late November (CVE-2018-15981) and early December (CVE-2018-15982),” Chris Goettl, director of product management for Security at Ivanti, told Threatpost. “Ensure that Adobe Acrobat, Reader, and Flash Player are part of your monthly maintenance for January.”