Last week Adobe released fixed 6 critical updates in their September 2018 monthly Patch Tuesday. It looks like they missed one, as Adobe released today an out-of-band security update for a critical vulnerability in Adobe Acrobat and Adobe Reader.
The APSB18-34 security bulletin details how these updates resolve an Out-of-bounds write vulnerability that could lead to code execution, while the other six are out-of-bounds read vulnerabilities that could lead to information disclosure.
|Vulnerability Category||Vulnerability Impact||Severity||CVE Number|
|Out-of-bounds write||Arbitrary Code Execution||Critical||CVE-2018-12848|
|Out-of-bounds read||Information Disclosure||Important||
The code execution vulnerability (CVE-2018-12848) was reported to Adobe by Check Point Software. The information disclosure vulnerabilities were disclosed by Check Point Software, Cybellum Technologies LTD, and via via Trend Micro's Zero Day Initiative.
To fix these vulnerabilities, users should upgrade to Acrobat DC and Acrobat Reader DC to version 2018.011.20063, Acrobat 2017 and DC 2017 to version 2017.011.30102, and Acrobat DC Classic 2015 and Acrobat Reader DC Classic to version 2015 2015.006.30452. Links to the updates can be found here.