Adobe, This Tuesday as always released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 4 advisories with 11 vulnerabilities , with 2 of them rated critical, 6 are rated important and 3 as moderate in severity. These vulnerabilities impact Acrobat Reader and Acrobat products, Creative Cloud Desktop Application, Adobe Experience Manager and Adobe Flash Player.
Acrobat Reader and Acrobat
Cybellum Technologies and Trend Micro’s Zero-day Initiative have disclosed two critical arbitrary code execution flaws in Acrobat DC and Acrobat Reader DC for Windows and macOS. The vulnerability (CVE-2018-12808) reported by Cybellum Technologies is an out-of-bounds write flaw, whereas the vulnerability (CVE-2018-12799) reported by Trend Micro’s Zero-Day Initiative is an untrusted pointer dereference vulnerability.
Creative Cloud Desktop Application
An insecure library loading vulnerability (CVE-2018-5003) was found in the installer for Windows which could lead to privilege escalation and henceforth arbitrary code execution.
Adobe Flash Player
Multiple out-of-bounds read error(CVE-2018-12824, CVE-2018-12826, CVE-2018-12827), a security bypass vulnerability (CVE-2018-12825) and use of a component with a known vulnerability (CVE-2018-12828) can be used to disclose sensitive information, elevate privileges and execute arbitrary code.
Adobe Experience Manager
The product doesn’t filter HTML code from user-supplied input before displaying the input (CVE-2018-5005, CVE-2018-12806) which can lead to arbitrary script execution on the user’s browser, the attacker can then access cookies, collect data directly from forms and act as the target user on websites. In another vulnerability, a remote user can exploit an input validation flaw to modify data on the target system (CVE-2018-12807).
- Acrobat Reader and Acrobat
- Creative Cloud Desktop Application
- Adobe Experience Manager
- Adobe Flash Player
Adobe Security Bulletin summary for August 2018:
Product : Adobe Acrobat and Reader
CVE’s/Advisory : APSB18-29, CVE-2018-12808, CVE-2018-12799
Severity : Critical
Impact : Arbitrary Code Execution
Product : Creative Cloud Desktop Application
CVE’s/Advisory : APSB18-20, CVE-2018-5003
Severity : Important
Impact : Privilege Escalation
Product : Adobe Flash Player
CVE’s/Advisory : APSB18-25, CVE-2018-12824, CVE-2018-12825, CVE-2018-12826, CVE-2018-12827, CVE-2018-12828
Severity : Important
Impact : Information Disclosure, Security Mitigation Bypass, Privilege Escalation
Product : Adobe Experience Manager
CVE’s/Advisory : APSB18-26, CVE-2018-12806, CVE-2018-12807, CVE-2018-5005
Severity : Moderate
Impact : Sensitive Information disclosure, Unauthorized Information Modification