Adobe Patches 39 Vulnerabilities in Acrobat and Reader

Updates released on Tuesday by Adobe for its Acrobat, Acrobat Reader and Experience Manager products patch more than 40 vulnerabilities, but none of them appear to have been exploited for malicious purposes.

The company fixed a total of 39 flaws in its Acrobat and Reader products for Windows and Mac. The security holes, rated important and critical with a priority rating of 2, have been described as security mitigation bypass, heap overflow, use-after-free, out-of-bounds read, and out-of-bounds write weaknesses that can be exploited for privilege escalation or arbitrary code execution.

The flaws impact version 2018.009.20050 and earlier of Acrobat DC Continuous Track, version 2017.011.30070 and earlier of Acrobat 2017, and versions 2015.006.30394 and earlier of Acrobat DC Classic Track.

More than half of the vulnerabilities were reported to Adobe by employees of China-based Tencent. The disclosure was often made through Trend Micro’s Zero Day Initiative (ZDI).

As for Experience Manager, the latest version of the enterprise content management solution patches two vulnerabilities, including a reflected cross-site scripting (XSS) issue rated moderate, and an important XSS in the Apache Sling XSS protection API.

According to Adobe, exploitation of these flaws could allow attackers to obtain sensitive information. The company has not credited anyone for the Experience Manager security holes.

Earlier this month, Adobe issued an emergency update for Flash Player after learning that threat actors believed to be working on behalf of North Korea had been exploiting a zero-day vulnerability in attacks aimed at South Korea.

The group believed to be behind the attacks is tracked by FireEye as “TEMP.Reaper” and by Cisco Talos as “Group 123.”

Related: Adobe Patch Tuesday Updates Fix Only One Flash Player Flaw

Related: South Korea Warns of Flash Zero-Day Exploited by North Korea

Related: Adobe Patches Flash Zero-Day Exploited in Targeted Attacks