Adobe has concluded the year with its December Patch Tuesday by releasing updates aimed at addressing a significant number of security vulnerabilities in its PDF applications. The update number exceeds that of Microsoft’s patches for this month, underlining the critical nature of the issues at hand.
The software developer has rolled out fixes for a total of 87 vulnerabilities that influence both its Acrobat and Reader products across macOS and Windows platforms. Among these vulnerabilities, 39 have been classified as critical, while 48 are considered important.
This security update arrives shortly after Adobe resolved a critical zero-day vulnerability (CVE-2018-15982) in Flash Player that had been actively exploited in a targeted attack on a Russian state healthcare facility.
The critical vulnerabilities addressed in the latest updates include a range of technical flaws, such as three heap overflow vulnerabilities, five out-of-bounds write bugs, two issues related to untrusted pointer dereferencing, two buffer errors, and a concerning 24 use-after-free vulnerabilities. These flaws, if successfully exploited, could enable attackers to execute arbitrary code on the affected systems, raising significant concerns for users.
Additionally, three other critical-rated vulnerabilities pertain to security bypass issues that could lead to unauthorized privilege escalation—a serious risk for any organization.
Adobe also patched 48 “important” vulnerabilities within its applications, which includes 43 out-of-bounds read issues and several integer overflow flaws that could ultimately expose sensitive information. According to Adobe’s support site, important vulnerabilities can compromise data security, potentially allowing unauthorized access to confidential data and processing resources.
Despite not revealing specific technical details about the vulnerabilities, Adobe has classified all uncovered flaws as “Priority 2.” This categorization suggests that while the vulnerabilities are unlikely to be exploited imminently, they do present a high risk of being targeted in the future. “Currently, no known exploits are active. Based on past data, we do not foresee imminent exploitation,” stated Adobe. The company also advises that updates should be installed promptly, ideally within a 30-day timeframe.
Business owners utilizing Adobe Acrobat and Reader on Windows and macOS are strongly urged to apply these updates at their earliest convenience to mitigate potential cybersecurity risks.