Adobe Releases Out-of-Band Security Bulletin for Adobe Acrobat and Reader (APSB19-02)
Adobe issued an out-of-band security bulletin which addresses two critical vulnerabilities (CVE-2018-16011, CVE-2018-16018) in Adobe Acrobat and Reader.
Contexto
On January 3, Adobe released a security bulletin to address two critical vulnerabilities in Adobe Acrobat and Reader for both Windows and macOS. Adobe published a prenotification for this bulletin on December 27 to give users advance warning.
Vulnerability details
The security bulletin addresses two critical vulnerabilities. The first, CVE-2018-16011, is a use after free vulnerability that could lead to arbitrary code execution. CVE-2018-16018 is a security bypass vulnerability that could allow an attacker to elevate privileges. An attacker could create and deliver a specially crafted PDF file to a vulnerable target in order to exploit these vulnerabilities. Adobe hasn’t provided any additional details about these vulnerabilities, including whether or not they have been observed in attacks in the wild.
Tenable’s Security Response Team observed that both of the CVEs listed in APSB19-02 were initially included as part of APSB18-41, Adobe’s monthly security bulletin from December 2018. However, both CVEs were removed on or before December 20, according to the last revision date in the bulletin. Additionally, Adobe revised APSB19-02 to include CVE-2018-16018 in place of the previously listed CVE-2018-19725.
Urgently required actions
Adobe has released updated versions of Adobe Acrobat DC, Adobe Acrobat Reader DC, Acrobat 2017 and Acrobat Reader DC 2017 that address these vulnerabilities. End users and IT administrators are encouraged to upgrade to these patched versions as soon as possible.
Identificação de sistemas afetados
Tenable’s plugins for APSB18-41 will be updated to reflect Adobe’s revised bulletin. Once updated, the following list of Nessus plugins to identify these specific vulnerabilities will appear here as they’re released.
Obtenha mais informações
- Security Bulletin for Adobe Acrobat and Reader | APSB19-02
- Security Bulletin for Adobe Acrobat and Reader | APSB18-41
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Artigos relacionados
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
- Vulnerability Management
- Vulnerability Scanning