As businesses transition back to a routine after the New Year celebrations, one critical task requires immediate attention: updating systems to mitigate serious security vulnerabilities that can be exploited simply by opening a PDF file. Adobe has announced an urgent out-of-band security update aimed at addressing two critical vulnerabilities in its Acrobat and Reader applications that affect both Windows and macOS platforms.
The software giant, headquartered in San Jose, California, has classified these vulnerabilities as critical, although specific details about their nature have not been disclosed. What is known is that they facilitate privilege escalation and arbitrary code execution within the context of the currently logged-in user, which could allow attackers to gain control of affected systems.
Security researchers Abdul-Aziz Hariri and Sebastian Apelt from Trend Micro’s Zero Day Initiative (ZDI) reported these vulnerabilities. The first, identified as CVE-2018-16011, is a use-after-free bug that could lead to arbitrary code execution. An attacker can exploit this flaw by tricking a user into interacting with a maliciously crafted PDF file, potentially executing the attacker’s code with the privileges of the user currently logged in.
The second vulnerability, designated CVE-2018-19725, represents a security bypass flaw that could allow for privilege escalation. Both of these vulnerabilities are rated as critical; however, the company assigned a priority rating of 2, indicating no known instances of exploitation have been observed in the wild.
The affected versions include Acrobat and Reader DC 2015 (version 2015.006.30461 and earlier), Acrobat and Reader DC 2017 (version 2017.011.30110 and earlier), and Acrobat DC Continuous (version 2019.010.20064 and earlier). To address these security flaws, Adobe has released updated versions, including Acrobat DC 2015 (version 2015.006.30464), Acrobat 2017 (version 2017.011.30113), and Acrobat DC Continuous (version 2019.010.20069) for both Windows and macOS.
Given that the details of these vulnerabilities are now public, it is imperative for IT departments and business owners to act promptly in installing the latest patches. Attackers may exploit these vulnerabilities to target user systems, increasing the risk for organizations of all sizes. As cyber defenses are constantly evolving, proactive measures such as these updates are essential for maintaining robust security.
Adobe adheres to a regular schedule for security updates, typically releasing patches on the second Tuesday of each month, similar to Microsoft. This ensures that newer vulnerabilities will also be addressed in upcoming releases, providing another layer of security for businesses navigating an increasingly complex threat landscape.
Considering the critical nature of these vulnerabilities, companies should prioritize their updates. Implementing the recommended patches not only protects against these specific threats but also reinforces the overall security posture against future attacks. In this landscape of evolving cyber threats, staying informed and vigilant is crucial for safeguarding sensitive data and maintaining business operations.