Adobe has posted security updates for Acrobat, Reader, and Photoshop, many of them critical fixes.
The developer says the Acrobat and Reader update will address a total of 47 CVE-listed vulnerabilities, including two dozen remote code execution flaws in the PDF readers. Adobe notes that none of the bugs are being actively targeted yet.
Adobe: Two critical Flash security bugs fixed for the price of oneREAD MORE
Of those 47 CVE entries, 13 are for use-after-free remote code execution bugs, while another seven allow remote code execution via heap overflow errors. The remaining remote code execution vulnerabilities are a double free error (CVE-2018-4990), an out-of-bounds write error (CVE-2018-4950 ), a type confusion error (CVE-2018-4953), and an untrusted pointer dereference (CVE-2018-4987).
In all, 19 of the patched flaws are information disclosure bugs via out-of-bounds read errors, while two others (CVE-2018-4994, CVE-2018-4979) describe security bypass vulnerabilities. Two other information disclosure flaws are due to NTLM SSO hash theft (CVE-2018-4993) and a memory corruption error (CVE-2018-4965).
For Acrobat and Reader DC, the updated version is 2018.011.20040, while Acrobat 2017 and Acrobat Reader DC 2017 are patched in version 2017.011.30080. The "Classic 2015" versions of Acrobat Reader DC and Acrobat DC are patched in update 2015.006.30418.
Photoshop, meanwhile, has been updated to patch over CVE-2018-4946, a remote code execution flaw due to an out-of-bounds write error. Discovery of the flaw was credited to researcher Giwan Go, who reported it via Trend Micro's Zero Day Initiative.
Those running Photoshop CC 2018 (both the Mac and Windows versions) will want to install versions 19.1.4, while those using Photoshop CC 2017 will want to download the 18.1.4 release.
This latest Adobe updates comes less than a week after the vendor kicked out another scheduled batch of fixes for Flash to coincide with Patch Tuesday. That update also included updates for Creative Cloud on both Mac and Windows. ®