Adobe squashes critical bugs in Acrobat, Reader

The critical security flaws can lead to privilege escalation and code execution.

Fix these critical Adobe flaws now Update your Adobe PDF today before hackers exploit one of dozens of remote code execution critical flaws.

Adobe has released a security update which resolves two critical vulnerabilities uncovered in Adobe Acrobat and Reader software.

The software giant said the bugs are deemed critical, as they can lead to privilege escalation and arbitrary code execution in the context of the current user.

Adobe revealed the security flaws in a security bulletin published on Thursday.

The first vulnerability, CVE-2018-16011, is a use-after-free problem which can lead to arbitrary code execution if exploited -- which, in turn, could permit the execution of malware payloads, account hijacking, and more.

The second security flaw, CVE-2018-19725, is a security bypass issue which permits attackers to ramp up their privilege levels, potentially leading to attacks and system tampering taking place with additional freedoms beyond the usual confines of a user account.

CNET: Malware suspected of hobbling several newspapers' production

Adobe Acrobat DC and Acrobat Reader DC 2019.010.20064 and earlier, Acrobat 2017 and Acrobat Reader 2017 versions 2017.011.30110 and earlier, as well as Acrobat DC and Acrobat Reader DC versions 2015.006.30461 and earlier, are affected on Windows and macOS machines.

See also: Adobe fixes critical code execution flaws in latest patch update

In order to stay protected against exploits involving these vulnerabilities, users should accept incoming security updates and upgrade to Acrobat DC and Acrobat Reader DC version 2019.010.20069, Acrobat 2017 and Acrobat Reader DC 2017 version 2017.011.30113, and Acrobat DC & Acrobat Reader DC version 2015.006.30464.

Adobe thanked researchers Sebastian Apelt and Abdul Aziz Hariri for reporting the vulnerabilities via Trend Micro's Zero Day Initiative.

TechRepublic: Adobe Project Rush: Create awesome video on your mobile device

In November, Volexity researchers warned that ColdFusion servers which had not been patched against a slew of vulnerabilities resolved in September were being actively targeted by nation-state attackers.

Previous and related coverage