Patch Tuesday August 2018: Adobe mends two critical bugs in Acrobat and Reader

News by Bradley Barth

Adobe Systems today issued patched updates for Acrobat and Reader, Flash Player, Experience Manager, and the Cloud Desktop Application, collectively fixing 11 vulnerabilities, two of them critical.

Adobe Systems today issued patched updates for Acrobat and ReaderFlash PlayerExperience Manager, and the Cloud Desktop Application, collectively fixing 11 vulnerabilities, two of them critical.

The two most serious bugs, both of which can result in arbitrary code execution, were discovered in multiple versions of Acrobat and Reader for Windows and macOS. The first is an out-of-bounds write (CVE-2018-12808) discovered by Cybellum Technologies LTD, and the second is an untrusted pointer dereference (CVE-2018-12799), reported by Abdul Aziz Hariri via Trend Micro's Zero-Day Initiative.

Five bugs deemed "important" were found in Flash Player Desktop Runtime (multiple platforms), Flash Player for Google Chrome, and Flash Player for Microsoft Edge and Internet Explorer 11. Three of them are three out-of-bounds reads that can lead to information disclosure (CVE-2018-12824, 12826, 12827), while the two others are a security mitigation bypass (CVE-2018-12825) and privilege escalation (CVE-2018-12828) caused by use of a vulnerable component.

One other important issue was spotted in the Creative Cloud Desktop Application installer for Windows -- a privilege escalation vulnerability resulting from insuring library loading (CVE-2018-5003).

And finally, Adobe disclosed that Experience Manager versions 6.0 - 6.4 (all platforms) possess three moderate flaws -- a cross-site scripting (CVE-2018-5005) and a reflected cross-site scripting (CVE-2018-12806) that both can trigger sensitive information disclosure, and an input validation bypass (CVE-2018-12807) that can cause unauthorised information modification.

Adobe is unaware of any exploits in the wild leveraging any of these flaws.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop