Adobe is closing out this year with its December Patch Tuesday update to address a massive number of security vulnerabilities for just its two PDF apps—more than double the number of what Microsoft patched this month for its several products.Adobe today released patches for 87 vulnerabilities affecting its Acrobat and Reader software products for both macOS and Windows operating systems, of which 39 are rated as critical and 48 important in severity.
The security update comes less than a week after Adobe released patches for a critical zero-day vulnerability (CVE-2018-15982) in Flash Player that was actively being exploited in a targeted attack targeting a Russian state health care institution.
The critical vulnerabilities addressed today in Acrobat and Reader include three heap-overflow bugs, five out-of-bounds write flaws, two untrusted pointer dereference issues, two buffer errors, and 24 use-after-free bugs.Upon successful exploitation, all of the above critical vulnerabilities would allow an attacker to execute arbitrary code on compromised computers.
Rest three critical-rated issues addressed this month are all security bypass issues which, if exploited, would lead to privilege escalation.
In addition to the critical bugs, Adobe patched 48 ‘important’ security flaws in the Acrobat and Reader, including 43 are out-of-bounds read issues, four integer overflow flaws, and two security bypass issues—all of which could lead to information disclosure.
According to the company’s support website, vulnerabilities rated as important, “if exploited would compromise data security, potentially allowing access to confidential data, or could compromise processing resources in a user’s computer.”
The company did not disclose technical details of any of the vulnerabilities, but categorized all the flaws, both critical and important, as “Priority 2,” meaning that the flaws are unlikely to be exploited in the wild but are at high risk of being exploited.
“There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent,” Adobe says. “As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days).”
Users of the Adobe Acrobat and Reader apps for Windows and macOS operating systems are highly recommended to update their software packages to the latest versions as soon as possible.