Use Windows, macOS? Don't be hacked by PDF, patch these critical Adobe flaws now

Update your Adobe PDF today before hackers exploit one of dozens of remote code execution critical flaws.
Written by Liam Tung, Contributing Writer

Adobe's scheduled October update for its Acrobat and Reader PDF software addresses 85 vulnerabilities, including dozens of critical flaws that allow arbitrary code execution.

The patches also address multiple privilege-escalation and information-disclosure flaws, shoring up Adobe's PDF software further following a patch for a critical Acrobat and Reader flaw plugged two weeks ago.

The bugs affect Acrobat DC and Reader versions 2018.011.20063 and earlier from Adobe's continuous track, Acrobat 2017 and Acrobat Reader 2017 2017.011.30102, and Acrobat DC and Reader DC versions 2015.006.30452 and earlier from Adobe's classic 2015 track.

The flaws affect the software running on Windows and macOS systems.

This update is the largest set of fixes Adobe's PDF software since it swatted 105 vulnerabilities in July. However, fortunately the company says it is not currently aware of any exploits in the wild for bugs fixed in this update.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Users and admins nonetheless should install fixed versions, according to Adobe, because if an attacker developed an exploit it could lead to arbitrary code execution in the context of the current user because the software is sandboxed.

Since PDFs are still widely used in the enterprise, hackers continue to develop new techniques to break the sandbox by combining PDF attacks with operating system flaws.

This happened earlier this year, prompting a warning from Adobe in May after it was informed by researchers at ESET and Microsoft that they'd discovered a malicious PDF using a zero-day remote code execution flaw in Reader with a sandbox-busting Windows privilege escalation flaw.

Adobe credits researchers from Qihoo 360, Cisco Talos, Beihang University, Palo Alto Networks, and Check Point for reporting flaws patched in the October update.

Check Point researcher Omri Herscovici was responsible for reporting 35 of this month's bugs, all of which were information disclosure flaws.

Previous and related coverage

Adobe releases patch out of schedule to squash critical code execution bug

The vulnerabilities resolved in the update impact both Microsoft Windows and Apple MacOS systems.

Adobe patch update tackles six critical vulnerabilities in ColdFusion

The worst vulnerabilities lead to arbitrary code execution.

Adobe fixes critical code execution flaws in latest patch update

Two vulnerabilities in Acrobat and Reader are considered critical.

Adobe fixes over 100 vulnerabilities in latest security patch update

The massive security update covers Flash, Acrobat, Connect, Experience Manager, and Reader.

Windows users attacked via critical Flash zero-day: Patch now, urges Adobe

Adobe issues security update for critical zero-day Flash Player flaw that attackers are exploiting via Excel docs.

How to sign PDFs using Adobe Acrobat Reader TechRepublic

You don't need the full Adobe Acrobat Pro just to sign a PDF. The free Adobe Acrobat Reader can easily handle that job.

Adobe AI learns to spot the photo fakery Photoshop makes easy CNET

Photoshop makes it easy to tamper with images, but neural networks could help you figure out which photos are trustworthy.

Editorial standards