Adobe Patches 39 Vulnerabilities in Acrobat and Reader

Posted by & filed under Security News.

Updates released on Tuesday by Adobe for its Acrobat, Acrobat Reader and Experience Manager products patch more than 40 vulnerabilities, but none of them appear to have been exploited for malicious purposes.

The company fixed a total of 39 flaws in its Acrobat and Reader products for Windows and Mac. The security holes, rated important and critical with a priority rating of 2, have been described as security mitigation bypass, heap overflow, use-after-free, out-of-bounds read, and out-of-bounds write weaknesses that can be exploited for privilege escalation or arbitrary code execution.

The flaws impact version 2018.009.20050 and earlier of Acrobat DC Continuous Track, version 2017.011.30070 and earlier of Acrobat 2017, and versions 2015.006.30394 and earlier of Acrobat DC Classic Track.

More than half of the vulnerabilities were reported to Adobe by employees of China-based Tencent. The disclosure was often made through Trend Micro’s Zero Day Initiative (ZDI).

As for Experience Manager, the latest version of the enterprise content management solution patches two vulnerabilities, including a reflected cross-site scripting (XSS) issue rated moderate, and an important XSS in the Apache Sling XSS protection API.

According to Adobe, exploitation of these flaws could allow attackers to obtain sensitive information. The company has not credited anyone for the Experience Manager security holes.

Earlier this month, Adobe issued an emergency update for Flash Player after learning that threat actors believed to be working on behalf of North Korea had been exploiting a zero-day vulnerability in attacks aimed at South Korea.

The group believed to be behind the attacks is tracked by FireEye as “TEMP.Reaper” and by Cisco Talos as “Group 123.”

 

The information contained in this website is for general information purposes only. The information is provided by Security Week and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.