Adobe released the August 2018 Security Updates (APSB18-29)which addresses key vulnerabilities in the Acrobat and Reader applications. The released collection of updates are available both to Windows and Mac OS X users. All users running these products are advised to update their installations as soon as possible.
APSB18-29: August 2018 Security Updates Released by Adobe: Acrobat and Reader Vulnerabilities Fixed
Adobe issued their latest bulletin of patches addressing issues found in two of their main products — Acrobat and Reader. They are part of the August 2018 Security Updates bundle and include patches for a total of 11 bugs in these two programs. Most of them are related to a possibility to deploy a remote code execution attack. The accompanying release notes do not give details about the issues — whether or not they have been reported in private or if there have been reported incidents that make use of the vulnerabilities.
Two specific issues have been reported which are assigned a “critical” severity and are tracked with the following advisories:
- CVE-2018-12808 — Out-of-bounds write Bug Resulting in Arbitrary Code Execution.
- CVE-2018-12799 — An untrusted pointer dereference issue that can result in arbitrary code execution.
By exploiting the two applications malicious users can overcome the protective features thereby allowing arbitrary code execution. This means that the attackers can use a variety of different approaches in order to induce this behaviour. A common way would be to spread infected scripts that lead to the execution of the malicious behaviour.
There are several different channels that the criminals can utilize:
- Phishing Email Messages — Hackers can design email message that include elements from well-known companies imitating legitimate notifications, reminders and other often delivered emails. The associated malicious files/scripts can be either directly attached or linked in the body contents.
- Malicious Download Sites — The criminals can construct sites that are created in a similar way by imitating often used download portals and vendor sites.
- File Sharing Networks — The malicious documents or other payload carriers can be distributed on peer to peer programs and other file sharing networks like BitTorrent where pirate content is usually spread.
The security research shows that failed exploitation of the vulnerabilities will result in a Denial-of-service (DOS) condition. As always we recommend that users update to the newest version as soon as possible.