[BreachExchange] Adobe Fixes Two Critical Acrobat and Reader Flaws

[Destry Winant]

https://threatpost.com/adobe-critical-acrobat-reader-flaws/140547/

An unscheduled patch fixed two critical flaws that could enable
arbitrary code execution.

Adobe on Thursday released unscheduled security updates for Adobe
Acrobat and Reader for Windows and MacOS.

The updates fix two critical vulnerabilities, CVE-2018-16011 and
CVE-2018-19725. Successful exploitation of the flaws could lead to
arbitrary code execution in the context of the current user.

The first vulnerability, CVE-2018-16011, reported by Sebastian Apelt
in conjunction with the Zero Day Initiative, is a critical
use-after-free flaw that could enable arbitrary code-execution. The
vulnerability had been addressed in a separate issue included in a
previous Adobe advisory.

The second flaw, CVE-2018-19725, reported by Abdul Aziz Hariri, is a
critical security bypass vulnerability that allows privilege
escalation. That flaw “is a security feature bypass that would allow a
privilege escalation, giving an attacker broader access to the system
affected,” Chris Goettl, director of product management, security, at
Ivanti, told Threatpost.

Impacted are Acrobat DC and Acrobat Reader DC versions 2019.010.20064
and earlier; Acrobat 2017 and Acrobat Reader 2017 versions
2017.011.30110 and earlier; and Acrobat DC and Acrobat Reader DC
versions 2015.006.30461 and earlier.

The patches are a priority 2, meaning that there are no known exploits
for the vulnerabilities; but they exist in products that have
historically been “at elevated risk,” according to Adobe.

Adobe recommends users update to Adobe Acrobat and Reader versions
2019.010.20069, Acrobat 2017 and Acrobat Reader 2017.011.30113 and
Acrobat DC and Acrobat Reader DC 2015.006.30464.

The patch comes on the heels of a busy December for Adobe. The company
patched 87 vulnerabilities for Acrobat and Reader in its December
Patch Tuesday update, including a slew of critical flaws that would
allow arbitrary code-execution. Beyond that, Adobe Flash had two Zero
Day vulnerabilities in late November (CVE-2018-15981) and early
December (CVE-2018-15982).

“Between this update and the December APSB18-41, which resolved 87
vulnerabilities, it is recommended to ensure that any Adobe Acrobat
and Reader instances are updated in the next two to four weeks,”
Goettl told us. “You can also expect an Adobe Flash Player update next
week on Patch Tuesday.”

Both flaws were reported through Trend Micro’s Zero Day Initiative.