Adobe has issued an out-of-band security update to patch two critical vulnerabilities in the company’s Acrobat and Reader for both the Windows and macOS operating systems.
Though the San Jose, California-based software company did not give details about the vulnerabilities, it did classify the security flaws as critical since they allow privilege escalation and arbitrary code execution in the context of the current user.
Both the vulnerabilities were reported to Adobe by security researchers–Abdul-Aziz Hariri and Sebastian Apelt—from Trend Micro’s Zero Day Initiative (ZDI).
Critical Adobe Acrobat and Reader Vulnerabilities
The first vulnerability, reported by Apelt and identified as CVE-2018-16011, is a use-after-free bug that can lead to arbitrary code execution.
Attackers can exploit the flaw by tricking a user into clicking a specially crafted PDF file, which will eventually execute code of their choice with the privileges of the currently logged-in user, allowing attackers to run any malicious software on the victims’ computers without their knowledge.
The second vulnerability, discovered by Hariri and identified as CVE-2018-19725, is a security bypass flaw that could result in privilege escalation.
Both security vulnerabilities are rated as critical but has been assigned a priority rating of 2, which means that the company found no evidence of any exploitation of these vulnerabilities in the wild.
Affected Software Versions and Security Patches
Acrobat and Reader DC 2015 version 2015.006.30461 and earlier, 2017 version 2017.011.30110 and earlier, and Continuous version 2019.010.20064 and earlier for the Windows and macOS operating systems are affected by the vulnerabilities.
Adobe has addressed the flaws with the release of the latest versions of Acrobat DC 2015 and Acrobat Reader DC 2015 (version 2015.006.30464), Acrobat 2017 and Acrobat Reader DC 2017 (version 2017.011.30113), and Acrobat DC Continuous and Acrobat Reader DC Continuous (version 2019.010.20069) for Windows and macOS.
Since the vulnerabilities are now public, threat actors would not leave any opportunity to exploit the issues to target user computers, Mac and Windows computer owners are highly recommended to install patches for the two vulnerabilities as soon as possible.
Adobe typically releases security updates for its software on the second Tuesday of the month, just like Microsoft, so you can expect the company to release regular patch updates for the rest of its software in this month’s release.