Adobe has patched two critical flaws in Acrobat and Reader that warrant urgent attention.
Officially, Adobe patches security vulnerabilities around the middle of each month to coordinate with Microsoft’s Patch Tuesday, but recently it’s become almost routine for the company to issue out-of-band updates in between.
APSB19-02, the first of such updates to reach customers in the new year, addresses critical flaws with a priority rating of ‘2’.
That means that the flaw is potentially serious, but Adobe hasn’t detected any real-world exploits (the latter would entail issuing an ‘emergency’ patch with a ‘1’ rating).
The first flaw, identified as CVE-2018-16011, is described by Adobe as a use-after-free bug that could be exploited using a maliciously crafted PDF to take control of a target system with their malware of choice.
The second, CVE-2018-16018 (replacing CVE-2018-19725), is a security bypass targeting JavaScript API restrictions on Adobe Reader DC and seems to have been in the works since before Christmas.
Fixing the flaws
Affecting all versions of Window and macOS Acrobat DC/Reader 2019.010.20064 and earlier, the fix in both cases is to update to 2019.010.20069.
For the legacy Acrobat/Reader 2017 2017.011.30110 and Acrobat/Reader DC 2015 2015.006.30461, the updates take those to 2017.011.30113 and 2015.006.30464 respectively.
As critical flaws with a ‘2’ rating, there is a suggested 30-day window within which to apply the updates, but it’s worth bearing in mind that a new round of patches will likely be offered for Adobe products tomorrow as part of Patch Tuesday.
In December’s Patch Tuesday, Adobe released a not inconsiderable 87 patches, including 39 rated critical.
Only days before, Adobe issued an emergency Flash patch for a zero-day vulnerability that was being exploited, while in November Flash received a separate patch for one whose exploitation was believed to be imminent.
Anon
Title should be “Are you still using any Adobe products? If so, why?”
Also-Anon
Yes, EXACTLY that. There’s such a consistent, voluminous track record of abject failure that I often wonder who exactly is mad enough to still use their crapware.
Rhonda
Maybe I haven’t looked hard enough but I have struggled to find better alternatives for business use. Any suggestions would be appreciated! Thanks
Mahhn
1. There are applications (like some core financial software) that are hard coded for adobe. The cost to switch this out is millions.
Anon
Sounds like a good deal compared to the price some companies pay for a data breach or outage. That money goes quickly once you get an IR/DF team involved and usually ends up costing much more than the original mitigation would have.
Mahhn
lol, it’s not a good deal. The core software is not like doc readers, there are very few, and even fewer that are worth using. Conversion can take a year or more. – and all have 3rd parties that you get bound to. There is no easy answer, and the questions changes day to day.
Laurence Marks
> “Title should be ‘Are you still using any Adobe products? If so, why?'”
Well, the free reader has been so enhanced with markup and fill-in features that it nearly eliminates the need to by the full-featured Acrobat. I haven’t heard that these features and available in any of the competitors.
Paul Ducklin
Preview in macOS? I use that for filling in “forms” that aren’t even intended to be completed on your computer. Tick-boxes, text fields – all located and populated pretty reliably in a typeface of your choice.
Msingizane Winston Ngwenya
Adobe Acrobat Pro X! – tricked to delete and instal. Instead can instal Reader – cannot do all that you did with Pro XI, only to be told that the life was not indefinitely. Now one has to buy this DC. XI had? Does it have all the features the Pro XI had? I also like to point out that earlier I had an experience when Adobe had a problem with its flash. I also had to buy – that whe I bought Pro XI. Can Adobe not be fair and send me the copy of Acrobat Pro XI? Be fair and kind.