Adobe Systems is shielding its clients from malware attackers. The multinational computer software company is doing so by launching security patches for its famous products Flash Player, Adobe Reader and Acrobat. Apparently, Adobe worked on addressing the vulnerabilities it found in the Flash Player, Adobe Reader and Acrobat late last year. The end-result of its labor is the first security patches for the trio this year. With the new updates, users will not have to worry about attackers targeting critical vulnerabilities to install malware on their computers, according to PC World.
A micropatch has been made available to resolve a zero-day vulnerability impacting Adobe Reader which could lead to the theft of hashed password values. The vulnerability was originally disclosed by Alex Inführ on 26 January and proof-of-concept (PoC) code has been published. Comparisons have been drawn between the new zero-day bug and CVE-2018-4993, the so-called Bad PDF bug which was resolved in 2018. The exploit does not rely on a software error or specific vulnerability. In this case, the problem lies within Adobe Reader DC and, if exploited, permits attackers to force a PDF file to automatically sent an SMB request to a threat actor's server the moment a document is opened.
Adobe has released a second patch to resolve a critical zero-day vulnerability in Adobe Reader after its original fix failed. The vulnerability, CVE-2019-7089, was patched in Adobe's February 12 patch release. Buried among 42 other critical bugs, the security flaw was described as a sensitive data leak problem which can lead to information disclosure when exploited. Alex Infuhr of Cure53 reported the failed patch to Adobe after discovering a bypass which is able to circumvent the fix, leaving the data leak unresolved. The critical issue is similar to BadPDF and permits attackers to leverage weaknesses in a content embedding feature of Reader which forces the software to send requests to an attacker-controlled server when a .PDF file is opened.
Besides Microsoft patches, this Tuesday also witnessed bug fixes from Adobe. While Microsoft managed to fix 60 vulnerabilities in one batch, Adobe has also patched 11 different vulnerabilities with its latest update. The fixes address two critical code execution vulnerabilities in Adobe Reader and Acrobat. On Tuesday, Adobe released patch updates for different Adobe products. These two critical vulnerabilities include two arbitrary code executions, described as out-of-bounds write (CVE-2018-12808), and untrusted pointer dereference (CVE-2018-12799).
I hope you had biggest, happiest and craziest New Year celebration, but now it's time to come back at work and immediately update your systems to patch new security flaws that could exploit your computer just by opening a PDF file. Adobe has issued an out-of-band security update to patch two critical vulnerabilities in the company's Acrobat and Reader for both the Windows and macOS operating systems. Though the San Jose, California-based software company did not give details about the vulnerabilities, it did classify the security flaws as critical since they allow privilege escalation and arbitrary code execution in the context of the current user. Both the vulnerabilities were reported to Adobe by security researchers--Abdul-Aziz Hariri and Sebastian Apelt--from Trend Micro's Zero Day Initiative (ZDI). Critical Adobe Acrobat and Reader Vulnerabilities The first vulnerability, reported by Apelt and identified as CVE-2018-16011, is a use-after-free bug that can lead to arbitrary code execution.