Adobe releases patch out of schedule to squash critical code execution bug

The vulnerabilities resolved in the update impact both Microsoft Windows and Apple MacOS systems.
Written by Charlie Osborne, Contributing Writer

Adobe has released a patch out of the usual security update schedules to resolve a set of severe vulnerabilities in Adobe Acrobat and Reader.

On Wednesday, the tech giant published a security advisory describing the bugs, which impact Windows and MacOS machines.

The most critical issue is an out-of-bounds write vulnerability.

Deemed critical, CVE-2018-12848 can lead to arbitrary code execution in the context of the current user if exploited by attackers.

See also: Adobe fixes critical code execution flaws in latest patch update

The second set of bugs (CVE-2018-12849, CVE-2018-12850, CVE-2018-12801, CVE-2018-12840, CVE-2018-12778, CVE-2018-12775) are out-of-bounds read issues which can all lead to information disclosure. These vulnerabilities are considered "important."

The vulnerabilities impact Acrobat DC 2018.011.20058 and earlier, Acrobat Reader DC 2018.011.20058 and earlier, Acrobat 2017 2017.011.30099 and earlier, Acrobat Reader 2017 2017.011.30099 and earlier, Acrobat DC 2015.006.30448 and earlier, and Acrobat Reader DC 2015.006.30448 and earlier.

TechRepublic: The top 11 phishing email subject lines SMBs should look out for

As always, Adobe recommends that users accept automatic updates to mitigate the risk of exploit.

CNET: If you've been hacked, don't count on the police for help

Adobe gave credit to researchers from Trend Micro's Zero Day Initiative, Cybellum Technologies, and Check Point Software Technologies for reporting the vulnerabilities.

The release comes after Adobe's standard patch round in September, which resolved four critical deserialization of untrusted data flaws in ColdFusion, alongside data leaks, privilege escalation bugs, and security bypass flaws in other Adobe products.

In August's patch update, Adobe resolved 11 security flaws, two of which were considered critical. The security release affected Adobe Flash, Acrobat and Reader, Experience Manager, and Creative Cloud. The critical flaws, an out of bounds write issue and an untrusted pointer dereference problem could lead to the execution of arbitrary code.

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards