Network Security, Patch/Configuration Management, Vulnerability Management

Patch Tuesday August 2018: Adobe mends two critical bugs in Acrobat and Reader

Adobe Systems today issued patched updates for Acrobat and Reader, Flash Player, Experience Manager, and the Cloud Desktop Application, collectively fixing 11 vulnerabilities, two of them critical.

The two most serious bugs, both of which can result in arbitrary code execution, were discovered in multiple versions of Acrobat and Reader for Windows and macOS. The first is an out-of-bounds write (CVE-2018-12808) discovered by Cybellum Technologies LTD, and the second is an untrusted pointer dereference (CVE-2018-12799), reported by Abdul Aziz Hariri via Trend Micro's Zero-Day Initiative.

Five bugs deemed "important" were found in Flash Player Desktop Runtime (multiple platforms), Flash Player for Google Chrome, and Flash Player for Microsoft Edge and Internet Explorer 11. Three of them are three out-of-bounds reads that can lead to information disclosure (CVE-2018-12824, 12826, 12827), while the two others are a security mitigation bypass (CVE-2018-12825) and privilege escalation (CVE-2018-12828) caused by use of a vulnerable component.

One other important issue was spotted in the Creative Cloud Desktop Application installer for Windows -- a privilege escalation vulnerability resulting from insuring library loading (CVE-2018-5003).

And finally, Adobe disclosed that Experience Manager versions 6.0 - 6.4 (all platforms) possess three moderate flaws -- a cross-site scripting (CVE-2018-5005) and a reflected cross-site scripting (CVE-2018-12806) that both can trigger sensitive information disclosure, and an input validation bypass (CVE-2018-12807) that can cause unauthorized information modification.

Adobe is unaware of any exploits in the wild leveraging any of these flaws.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.