Adobe has released the latest patch package that addresses a total of 112 vulnerabilities in all of their products, most of them concern the Acrobat and Reader applications. The updates to Flash Player and other products fixes critical security bugs tracked in the several CVE advisories.
Latest Adobe Products Patch Fixes a Total of 112 Vulnerabilities
Adobe released their latest patch package which includes a total of 112 fixes to vulnerabilities found in their software. The security bulletin posted by the company reveals further details about the problems that are mitigated in this release. Among them there are several critical security bugs that should be patched as soon as possible.
The document lists all of them in several categories according to the vulnerability impact:
- Arbitrary Code Execution — Double Free, Heap Overflow, Use-after-free, Out-of-bounds write, Type Confusion, Untrusted pointer dereference and Buffer Errors.
- Privilege Escalation — Privilege Escalation.
- Information Disclosure — Information Disclosure.
There are two critical bugs found in the Adobe Flash Player that allow arbitrary code execution (tracked in CVE-2018-5007) an information disclosure read bug (tracked in CVE-2018-5008). It’s important to note that practically all versions are affected. This includes all instances prior to version 30.0.0.113 in the Adobe Flash Player Desktop Runtime in Windows, MacOS, and Linux. The bug affects the Adobe Flash Player for Google Chrome for Windows, MacOS, Chrome OS and Linux and the associated plugin for Microsoft Edge and Internet Explorer 11 for the Windows 10 and 8.1 operating systems.
The security report signals that malicious actors can take advantage of Adobe Acrobat files in order to execute arbitrary code. This is made possible by embedding JavaScript code that is executed once the documents are opened. This behaviour is mandated by a flaw in the Adobe Acrobat software. The consequences can be even more damaging as hackers can combine a privilege escalation code along with a remote code execution block. Consequently the JavaScript code will be run with administrator privileges that gives the criminal operators full control of the affected machine.
The sensitive information disclosure bug allows the hackers to obtain sensitive information such as the following:
- Contents of User Files.
- Personally-Identifiable Information.
- List of Installed Hardware Components.
- Certain Operating System Configuration Values.
All associated CVE advisories patched in this release include the following:
CVE-2018-12782, CVE-2018-5015, CVE-2018-5028, CVE-2018-5032, CVE-2018-5036, CVE-2018-5038, CVE-2018-5040,
CVE-2018-5041, CVE-2018-5045, CVE-2018-5052, CVE-2018-5058, CVE-2018-5067, CVE-2018-12785, CVE-2018-12788,
CVE-2018-12798, CVE-2018-5009, CVE-2018-5011, CVE-2018-5065, CVE-2018-12756, CVE-2018-12770, CVE-2018-12772,
CVE-2018-12773, CVE-2018-12776, CVE-2018-12783, CVE-2018-12791, CVE-2018-12792, CVE-2018-12796, CVE-2018-12797,
CVE-2018-5020, CVE-2018-5021, CVE-2018-5042, CVE-2018-5059, CVE-2018-5064, CVE-2018-5069, CVE-2018-5070,
CVE-2018-12754, CVE-2018-12755, CVE-2018-12758, CVE-2018-12760, CVE-2018-12771, CVE-2018-12787, CVE-2018-12802,
CVE-2018-12802, CVE-2018-5010, CVE-2018-12803, CVE-2018-5014, CVE-2018-5016, CVE-2018-5017, CVE-2018-5018,
CVE-2018-5019, CVE-2018-5022, CVE-2018-5023, CVE-2018-5024, CVE-2018-5025, CVE-2018-5026, CVE-2018-5027,
CVE-2018-5029, CVE-2018-5031, CVE-2018-5033, CVE-2018-5035, CVE-2018-5039, CVE-2018-5044, CVE-2018-5046,
CVE-2018-5047, CVE-2018-5048, CVE-2018-5049, CVE-2018-5050, CVE-2018-5051, CVE-2018-5053, CVE-2018-5054,
CVE-2018-5055, CVE-2018-5056, CVE-2018-5060, CVE-2018-5061, CVE-2018-5062, CVE-2018-5063, CVE-2018-5066,
CVE-2018-5068, CVE-2018-12757, CVE-2018-12761, CVE-2018-12762, CVE-2018-12763, CVE-2018-12764, CVE-2018-12765,
CVE-2018-12766, CVE-2018-12767, CVE-2018-12768, CVE-2018-12774, CVE-2018-12777, CVE-2018-12779, CVE-2018-12780,
CVE-2018-12781, CVE-2018-12786, CVE-2018-12789, CVE-2018-12790, CVE-2018-12795, CVE-2018-5057, CVE-2018-12793,
CVE-2018-12794, CVE-2018-5012, CVE-2018-5030, CVE-2018-5034, CVE-2018-5037, CVE-2018-5043, CVE-2018-12784.
All Adobe products users are advised to update their installations by choosing Help > Check for Updates. The full security bulletin is available here.
Make sure to check the patches in Microsoft’s Patch Tuesday July 2018.