14 DAY TRIAL // Adobe released security updates for 39 critical vulnerabilities affecting its Acrobat and Reader software products for both macOS and Windows which could allow potential attackers to execute arbitrary code on compromised systems.
Thirty-six of the critical heap overflow, out-of-bounds write, use after free, untrusted pointer dereference, and buffer errors issues fixed in the latest Acrobat and Reader releases would allow for arbitrary code execution on compromised computers, while three of them are security bypass issues that would lead to privilege escalation after exploitation.
As detailed in Adobe's APSB18-41 security bulletin, the versions impacted by these security vulnerabilities are Acrobat DC (Continuous, Classic 2015), Acrobat 2017, Acrobat Reader DC (Continuous, Classic 2015), and Acrobat Reader 2017.
Adobe says on their support website that vulnerabilities rated as "critical" could allow attackers to execute malicious code following successful exploitation of the bugs, with a high possibility of the currently logged in user not being aware that the system has been compromised.
Furthermore, Adobe rated the thirty-nine critical security issues as Priority 2 and impacting products that have historically presented an elevated risk of exploitation.
"There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent," also says the company. "As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days)."
Adobe also patched 49 issues leading to information disclosure and rated as "Important"
It's also important to mention that forty-nine other integer overflow, security bypasses, and out-of-bounds read issues with information disclosure results were also patched in Acrobat and Reader, and rated as "Important."
According to Adobe's support website, "if exploited would compromise data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer."
All users of the Acrobat and Reader apps for Windows and macOS are recommended to update to the patched versions via the Adobe Flash Player Download Center or with the help of the built-in update mechanism.
A week ago, Adobe also patched a cross-platform zero-day Flash Player vulnerability tracked as CVE-2018-15982 that could allow potential remote attackers to trigger an execute arbitrary code on vulnerable computers where the runtime was installed.