Adobe releases patch for flash and Acrobat
The company issued fixes for 112 vulnerabilities in it's products. Flash Player, Acrobat and Reader, Experience Manager, and Adobe Connect are affected. Overall, the company issued a 112 fixes for vulnerabilities in its products spanning from Flash Player, Acrobat and Reader, Experience Manager, to Adobe Connect. While Acrobat products contained most of the vulnerabilities, Flash Player also had a critical arbitrary code execution bug ( CVE-2018-5007 ).
The two Flash Player bugs were fixed by Adobe and tied to various versions of player including a critical arbitrary code execution bug ( CVE-2018-5007 ) and an important information disclosure out of bounds read bug ( CVE-2018-5008 ). 30.0.0.113 and earlier version are affected for Adobe Flash Player Desktop Runtime, Adobe Flash Player, and Adobe Flash Player. They include all os verions including Windows, MacOS, and Linux. It is highly recommended that users update to version 30.0.0.134 using various installation methods, including the Flash Player Download Center.
104 vulnerabilities were patched in Adobe Acrobat and Reader PDF products, including 53 critical bugs and 51 vulnerabilities rated important. Acrobat DC and Acrobat Reader DC from 2015 to 2018 are all affected for Windows and MacOS. Adobe released a number of patches that affect all versions of Adobe Acrobat, Continuous, Classic 2017 and Classic 2015 on both Windows and Mac. There are many different vulnerabilities that allow for remote code execution and one vulnerability that allows for privilege escalation. The vulnerabilities allow hackers to embed a malicious JavaScript inside an Adobe Acrobat file, when the file is opened the JavaScript executes a command or downloads a loader. If a hacker combines both remote code execution and privilege escalation, the command can be run as administrator, giving the hacker full control over the victim's machine. The critical bugs include arbitrary code execution bugs such as a double free vulnerability ( CVE-2018-12782 ), 14 heap overflow bugs, 13 use-after-free bugs, 13 out-of-bounds write vulnerabilities, and three type confusion bugs. Critical security bypass privilege escalation bug ( CVE-2018-12802 ) was also fixed for Acrobat products.
Adobe also released patches for three vulnerabilities in its Adobe Connect presentation software, for versions 9.7.5 and earlier. The update patches an authentication bypass vulnerability ( CVE-2018-4994 ) which could result in sensitive information disclosure if successfully exploited. The update also patches an important session management vulnerability ( CVE-2018-12804 ) due to inadequate validation of Connect meeting session tokens. The Connect add-in installer prior to 9.7 insecurely loads DLL files ( CVE-2018-12805 ), which could be abused to escalate local privileges. Adobe also patched three vulnerabilities rated important in its Experience Manager enterprise CMS product, affecting versions 6.0 to 6.4. All three were Sensitive Information Disclosure bugs.