Updates released on Tuesday by Adobe for its Acrobat, Acrobat Reader and Experience Manager products patch more than 40 vulnerabilities, but none of them appear to have been exploited for malicious purposes.
The company fixed a total of 39 flaws in its Acrobat and Reader products for Windows and Mac. The security holes, rated important and critical with a priority rating of 2, have been described as security mitigation bypass, heap overflow, use-after-free, out-of-bounds read, and out-of-bounds write weaknesses that can be exploited for privilege escalation or arbitrary code execution.
The flaws impact version 2018.009.20050 and earlier of Acrobat DC Continuous Track, version 2017.011.30070 and earlier of Acrobat 2017, and versions 2015.006.30394 and earlier of Acrobat DC Classic Track.
More than half of the vulnerabilities were reported to Adobe by employees of China-based Tencent. The disclosure was often made through Trend Micro’s Zero Day Initiative (ZDI).
As for Experience Manager, the latest version of the enterprise content management solution patches two vulnerabilities, including a reflected cross-site scripting (XSS) issue rated moderate, and an important XSS in the Apache Sling XSS protection API.
According to Adobe, exploitation of these flaws could allow attackers to obtain sensitive information. The company has not credited anyone for the Experience Manager security holes.
Earlier this month, Adobe issued an emergency update for Flash Player after learning that threat actors believed to be working on behalf of North Korea had been exploiting a zero-day vulnerability in attacks aimed at South Korea.
The group believed to be behind the attacks is tracked by FireEye as “TEMP.Reaper” and by Cisco Talos as “Group 123.”
Related: Adobe Patch Tuesday Updates Fix Only One Flash Player Flaw
Related: South Korea Warns of Flash Zero-Day Exploited by North Korea
Related: Adobe Patches Flash Zero-Day Exploited in Targeted Attacks
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- Cisco to Acquire Splunk for $28 Billion
- Car Cybersecurity Study Shows Drop in Critical Vulnerabilities Over Past Decade
- Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis
- Intel Launches New Attestation Service as Part of Trust Authority Portfolio
- Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems
Latest News
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
