Adobe addresses critical vulnerabilities in Acrobat, Reader

Microsoft protected Windows users from suspected North Korean exploitation of an Adobe zero-day bug earlier this month.
Written by Charlie Osborne, Contributing Writer

Adobe's latest patch update resolves numerous vulnerabilities in Acrobat and Reader, some of which are deemed critical.

On Tuesday, Adobe released a security advisory for Acrobat and Reader, detailing patches for a total of 41 vulnerabilities, 17 of which are deemed critical and "could potentially allow an attacker to take control of the affected system," according to the company.

The vulnerabilities impact the Windows and Mac operating systems. Acrobat DC (continuous) versions 2018.009.20050 and earlier, Acrobat 2017 versions 2017.011.30070 and earlier, Acrobat Reader 2017 versions 2017.011.30070 and earlier, and Acrobat DC (Classic Track) versions 2015.006.30394 and earlier are all affected.

Among the issues resolved is a critical security mitigation bypass which can lead to privilege escalation and a set of heap overflow bugs which can be exploited to perform arbitrary code execution.

In addition, Adobe has patched multiple use-after-free and out-of-bounds write bugs, as well as out-of-bounds read vulnerabilities which can be exploited by attackers to perform remote code execution.

Adobe also released security updates for Adobe Experience Manager. The patch update resolves CVE-2018-4875, a reflected cross-site scripting vulnerability, and CVE-2018-4876, a cross-site scripting vulnerability in the Apache Sling XSS protection API. Both bugs can be exploited to leak sensitive information.

Users are recommended to update their software immediately.

Adobe thanked a long list of researchers for reporting the now-patched security issues, including experts from Cisco Talos, Trend Micro's Zero Day Initiative, and Xuanwu Lab.

See also: Windows security: Microsoft issues Adobe patch to tackle Flash zero-day

Earlier this month, Microsoft issued an Adobe patch for a use-after-free security flaw in the Windows operating system. The bug is of particular note as it is believed the Flash exploit is being used in the wild by North Korean cyberattackers to compromise systems.

In January, Adobe patched a single vulnerability deemed "important" in the eyes of the tech giant. The vulnerability, CVE-2018-4871, occurs due to a target buffer error and could be exploited by attacks in order to leak sensitive information.

Favorite gifts: Top tech, gadgets for under $100

Previous and related coverage

Editorial standards