Adobe squashes critical bugs in Acrobat, Reader
Adobe has released a security update which resolves two critical vulnerabilities uncovered in Adobe Acrobat and Reader software.
The software giant said the bugs are deemed critical, as they can lead to privilege escalation and arbitrary code execution in the context of the current user.
Adobe revealed the security flaws in a security bulletin published on Thursday.
The first vulnerability, CVE-2018-16011, is a use-after-free problem which can lead to arbitrary code execution if exploited — which, in turn, could permit the execution of malware payloads, account hijacking, and more.
The second security flaw, CVE-2018-19725, is a security bypass issue which permits attackers to ramp up their privilege levels, potentially leading to attacks and system tampering taking place with additional freedoms beyond the usual confines of a user account.
Adobe Acrobat DC and Acrobat Reader DC 2019.010.20064 and earlier, Acrobat 2017 and Acrobat Reader 2017 versions 2017.011.30110 and earlier, as well as Acrobat DC and Acrobat Reader DC versions 2015.006.30461 and earlier, are affected on Windows and macOS machines.
In order to stay protected against exploits involving these vulnerabilities, users should accept incoming security updates and upgrade to Acrobat DC and Acrobat Reader DC version 2019.010.20069, Acrobat 2017 and Acrobat Reader DC 2017 version 2017.011.30113, and Acrobat DC & Acrobat Reader DC version 2015.006.30464.
Adobe thanked researchers Sebastian Apelt and Abdul Aziz Hariri for reporting the vulnerabilities via Trend Micro’s Zero Day Initiative.
In November, Volexity researchers warned that ColdFusion servers which had not been patched against a slew of vulnerabilities resolved in September were being actively targeted by nation-state attackers.