The multinational computer software company, Adobe, has released a security update to patch two critical vulnerabilities that lie within their Acrobat and Reader software lines. It affects the Windows and MacOS operating systems.
Although Adobe has not released details about the vulnerabilities, they have revealed that the flaws are classified as critical as they allow for privilege escalation and arbitrary code execution.
The two vulnerabilities were brought to Adobe’s attention by two security researchers, identified as Abdul-Aziz Hariri and Sebastian Apelt—from Trend Micro’s Zero Day Initiative (ZDI).
Adept reported that the first vulnerability (CVE-2018-16011) is classed as a use-after-free bug that allows for arbitrary code execution. This type of bug refers to the attempt to access memory after it has been freed, which can cause a program to crash. In a use-after-free vulnerability can potentially lead to the execution of arbitrary code or even allow full remote code execution.
The flaw can be exploited by attackers by deceiving the user into clicking a tailored PDF file that is hosting malicious code, allowing them to gain control of the machine.
The second vulnerability (CVE-2018-19725) has been revealed to be a security bypass flaw that could result in privilege escalation.
Although these vulnerabilities had the potential to cause serious disruption to users, they were given a priority rating of 2. This rating means that Adobe found no evidence that attacker’s exploited the vulnerability for their own gain.
Since the vulnerabilities have no been released by Apelt, it is likely that attackers are looking to exploit them for users who have not updated their Adobe software. We recommend that users update their Adobe software immediately, installing the patches in order to safeguard yourself against an attack.