Adobe’s Patch Tuesday security update included patches for vulnerabilities in four products, including four critical issues patched in Adobe Digital Editions, but none for the often fixed Flash Player.
The company has pushed out several out of band releases in the last month, including one on 1 October cleaning up many critical problems with Acrobat and Reader.
The Adobe Digital Editions 4.5.9 release included the critical heap overflow vulnerabilities CVE-2018-12813, CVE-2018-12814 and CVE-2018-12815 along with the use after free CVE-2018-12822 all of which could lead to arbitrary code execution if exploited. In addition, an important-rated out of bounds read problem covered by CVE-2018-12816, CVE-2018-12818, CVE-2018-12819, CVE-2018-12820 and CVE-2018-12821 that could result in information disclosure was patched.
Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1 and 6.0 contained three important-rated security updates for Stored Cross-site Scripting, CVE-2018-15969, CVE-2018-15972 and CVE-2018-15973. In addition, two moderate-rated Reflected Cross-site Scripting CVE-2018-15970 and CVE-2018-15971 were also patched. All of these could lead to sensitive information disclosure if exploited.
Adobe Framemaker received an update to secure a single privilege escalation vulnerability the moderate-rated CVE-2018-15974 to fix a flaw that could lead to insecure library loading better known as DLL hijacking.
The Adobe Technical Communications Suite was also vulnerable to DLL hijacking, CVE-2018-15976, rated as important that could lead to privilege escalation.