Today, Adobe released security bulletin APSB19-02 that describes two security updates for critical vulnerabilities in Adobe Acrobat and Reader. In these updates only two vulnerabilities were fixed, but they are classified as Critical because they allow privilege escalation and arbitrary code execution.
| Vulnerability Category | Vulnerability Impact | Severity | CVE Number |
|---|---|---|---|
|
Use After Free |
Arbitrary Code Execution
|
Critical
|
CVE-2018-16011 |
| Security Bypass | Privilege Escalation | Critical | CVE-2018-19725 |
The first vulnerability was assigned ID CVE-2018-16011 and is a use after free bug that could allow arbitrary code execution. This type of vulnerability could allow an attacker to execute commands, such as downloading malware, on the affected computer without the victim's knowledge. This vulnerability was discovered by Sebastian Apelt and ZDI released an advisory for it.
The second vulnerability was assigned CVE-2018-19725 and allows attackers to execute code at a higher privilege level.
Both of these vulnerabilities were reported by Trend Micro's Zero Day Initiative, with CVE-2018-19725 being discovered internally by ZDI researcher, Abdul-Aziz Hariri.
ZDI told BleepingComputer via email that they would be issuing advisories for these CVEs in the near future and that they are not being used in active exploitation.
To resolve these vulnerabilities, users should upgrade to the latest version of Acrobat DC/Acrobat Reader DC version 2019.010.20069, Acrobat 2017/Acrobat Reader DC 2017 version 2017.011.30113, and Acrobat DC/Acrobat Reader DC version 2015.006.30464.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now