A high risk out of bounds memory corruption vulnerability ID 121244 labeled CVE-2018-5070 was discovered in Adobe’s Acrobat Reader software. The vulnerability is seen to impact the following three versions of the software: 2015.006.30418 and older, 2017.011.30080 and older, and 2018.011.20040 and older. The potential for exploit was shared with the Adobe security team on the 10th of July, 2018, and since then, only recently has Adobe come out with a disclosure bulletin that suggests mitigation with a patch update to resolve the threat posed by this vulnerability.
This out of bounds memory access vulnerability is ranked as critical in severity, assessed as a 6 base score against the CVSS standard. It is found to affect the software on all versions of Windows, Linux, and MacOS operating systems as long as the version of Adobe Acrobat Reader is one of the three generations listed above. The principle of the exploit is the same as a similar case in the Adobe Flash Player out of bounds vulnerability also discovered recently. The vulnerability is exposed when a malicious file is opened within the context of the Adobe Acrobat software. The file is then able to either corrupt the software’s memory or carry out malicious commands remotely that could compromise the user’s privacy and security through the malicious code it carries.
Hackers exploiting this vulnerability are able to execute unauthorized commands or modify memory as with a standard buffer overflow. By simply modifying a pointer, the hacker can redirect a function to run the intended malicious code. The code can carry out action ranging from stealing personal information, content, or carrying out other arbitrary commands within the context of the user’s rights to overwriting security data for the application and compromising the software. Authentication is not required for the hacker to carry this out. While the hacker exploits this vulnerability, it will trigger the out-of-bounds memory write error whilst executing the malicious code under the user’s authorization as intended. The negative impact of this type of exploit is within the scope of integrity, confidentiality, and availability.
Further technical details on the matter were not disclosed but a mitigation guide was published on the company’s security bulletin which suggested that users update to versions 2015.006.30434, 2017.011.30096 or 2018.011.20055.