Adobe's latest patch update resolves numerous vulnerabilities in Acrobat and Reader, some of which are deemed critical.
On Tuesday, Adobe released a security advisory for Acrobat and Reader, detailing patches for a total of 41 vulnerabilities, 17 of which are deemed critical and "could potentially allow an attacker to take control of the affected system," according to the company.
The vulnerabilities impact the Windows and Mac operating systems. Acrobat DC (continuous) versions 2018.009.20050 and earlier, Acrobat 2017 versions 2017.011.30070 and earlier, Acrobat Reader 2017 versions 2017.011.30070 and earlier, and Acrobat DC (Classic Track) versions 2015.006.30394 and earlier are all affected.
Among the issues resolved is a critical security mitigation bypass which can lead to privilege escalation and a set of heap overflow bugs which can be exploited to perform arbitrary code execution.
In addition, Adobe has patched multiple use-after-free and out-of-bounds write bugs, as well as out-of-bounds read vulnerabilities which can be exploited by attackers to perform remote code execution.
Adobe also released security updates for Adobe Experience Manager. The patch update resolves CVE-2018-4875, a reflected cross-site scripting vulnerability, and CVE-2018-4876, a cross-site scripting vulnerability in the Apache Sling XSS protection API. Both bugs can be exploited to leak sensitive information.
Users are recommended to update their software immediately.
Adobe thanked a long list of researchers for reporting the now-patched security issues, including experts from Cisco Talos, Trend Micro's Zero Day Initiative, and Xuanwu Lab.
Earlier this month, Microsoft issued an Adobe patch for a use-after-free security flaw in the Windows operating system. The bug is of particular note as it is believed the Flash exploit is being used in the wild by North Korean cyberattackers to compromise systems.
In January, Adobe patched a single vulnerability deemed "important" in the eyes of the tech giant. The vulnerability, CVE-2018-4871, occurs due to a target buffer error and could be exploited by attacks in order to leak sensitive information.