Adobe has issued its first patch of the year, emitting fixes for a pair of high-risk vulnerabilities in Acrobat and Reader.
The APSB-02 security bundle is being recommended as a high-priority fix, so install it as soon as you can. The two CVE-listed bugs haven't been targeted in the wild yet so admins are advised to get the updates tested and installed within the next 30 days. By comparison, a critical, actively-exploited, flaw would have a 72-hour recommended install time.
Still, Mac and Windows PC owners would be well advised to install patches for the two flaws. Limiting user account privileges could also help mitigate the risk from both flaws.
The first, CVE-2018-16011, is a use-after-free() programming blunder that, if exploited, would allow a specially crafted PDF file to execute code with the privileges of the currently logged-in user. Click on the wrong attachment and an attacker can run pretty much whatever they like on the local machine.
Adobe Flash zero-day exploit... leveraging ActiveX… embedded in Office Doc... BINGO!READ MORE
The flaw was discovered and reported to Adobe by bug-hunter Sebastian Apelt via the Trend Micro Zero Day Initiative.
The second bug, CVE-2018-19725, is a security bypass vulnerability discovered by Abdul-Aziz Hariri of the Zero Day Initiative. Hariri has done extensive research showing how specially crafted PDF files can use API calls to get around Adobe security protections and access other file paths on the system.
For MacOS and Windows boxes, the updates will be released for Acrobat and Reader DC 2015 (version 2015.006.30464), 2017 (version 2017.011.30113), and Continuous (version 2019.010.20069).
The Adobe fixes will also be advance work for next Tuesday, January 8, when Microsoft is due to kick out its first monthly update of the year for Windows, Office, and Edge/IE. Adobe typically follows suit with patches for Flash and Creative Cloud, and SAP occasionally does as well. ®