Following Adobe’s fix of a grand 112 vulnerabilities in its July product range patch, the company has just released its August product range patch which fixes (only) 11 flaws across its Flash Player and Acrobat DC and Reader software. Although 11 fixes may not seem like much, this release includes two highly critical patches for the Acrobat and Reader software as well as other important updates that should be implemented as soon as possible as well.
The most concerning flaws fixed in this latest update lie in the Adobe Acrobat and Reader for Windows and MacOS. The two vulnerabilities have been dubbed CVE-2018-12808 and CVE-2018-12799. According to Adobe’s security advisory, the first vulnerability causes arbitrary code execution in the context of the current user by causing an out-of-bounds write flaw. The latter causes arbitrary code execution in the context of the current user through an untrusted pointer dereference vulnerability.
These two critical security vulnerabilities affect the Acrobat DC and Acrobat Reader DC versions 2018.011.20055 and prior, the Acrobat 2017 and AR Classic 2017 versions 2017.011.30096 and prior, and the Acrobat DC and AR DC Classic 2015 versions 2015.006.30434 and prior. Updates for the respective versions of the products have been released on Adobe’s website in the form of the Adobe August Update pack.
Setting aside these 2 critical vulnerabilities, that leaves us with 9 remaining bug fixes. Five of these bug fixes are for the Adobe Flash Player and 4 are other miscellaneous updates. The five Adobe Flash Player fixes address the vulnerabilities CVE-2018-12828, CVE-2018-12827, CVE-2018-12826, CVE-2018-12825, and CVE-2018-12824, all of which pose the risk of remote code execution through the privilege escalation flaw. These fixes were also given a high rating (important) despite the fact that they have not been exploited as of yet.
The remaining vulnerabilities that were fixed in the software were CVE-2018-12806, CVE- 2018-12807, and CVE- 2018-5005. These vulnerabilities impact the Adobe Experience Managers versions 6.0 to 6.4. These vulnerabilities were flagged for bypassing authorization to allow for the leak of sensitive information.
The last patch released was for the library loading vulnerability in the Creative Cloud Desktop Application. This vulnerability was found to exist in the installer and it was given the label CVE-2018-5003. It affects versions 22.214.171.1244 and prior of the software for Windows and allow for privilege escalation and exploit.