Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.2832
Security bulletin for Adobe Acrobat and Reader | APSB18-34
21 September 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Acrobat and Reader
Publisher: Adobe
Operating System: Windows
Mac OS
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-12850 CVE-2018-12849 CVE-2018-12848
CVE-2018-12840 CVE-2018-12801 CVE-2018-12778
CVE-2018-12775
Original Bulletin:
https://helpx.adobe.com/security/products/acrobat/apsb18-34.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Security bulletin for Adobe Acrobat and Reader | APSB18-34
+----------------------+-------------------------------------+----------------+
| Bulletin ID | Date Published | Priority |
+----------------------+-------------------------------------+----------------+
|APSB18-34 |September 19, 2018 |2 |
+----------------------+-------------------------------------+----------------+
Summary
Adobe has released security updates for Adobe Acrobat and Reader for Windows
and MacOS. These updates address critical and important vulnerabilities.
Successful exploitation could lead to arbitrary code execution in the context
of the current user.
Affected Versions
These updates will address critical vulnerabilities in the software. Adobe will
be assigning the following priority ratings to these updates:
+--------------+----------+--------------------------+------------+-----------+
| Product | Track | Affected Versions | Platform | Priority |
| | | | | rating |
+--------------+----------+--------------------------+------------+-----------+
|Acrobat DC |Continuous|2018.011.20058 and earlier|Windows and |2 |
| | |versions |macOS | |
+--------------+----------+--------------------------+------------+-----------+
|Acrobat Reader|Continuous|2018.011.20058 and earlier|Windows and |2 |
|DC | |versions |macOS | |
+--------------+----------+--------------------------+------------+-----------+
| | | | | |
+--------------+----------+--------------------------+------------+-----------+
|Acrobat 2017 |Classic |2017.011.30099 and earlier|Windows and |2 |
| |2017 |versions |macOS | |
+--------------+----------+--------------------------+------------+-----------+
|Acrobat Reader|Classic |2017.011.30099 and earlier|Windows and |2 |
|2017 |2017 |versions |macOS | |
+--------------+----------+--------------------------+------------+-----------+
| | | | | |
+--------------+----------+--------------------------+------------+-----------+
|Acrobat DC |Classic |2015.006.30448 and earlier|Windows and |2 |
| |2015 |versions |macOS | |
+--------------+----------+--------------------------+------------+-----------+
|Acrobat Reader|Classic |2015.006.30448 and earlier|Windows and |2 |
|DC |2015 |versions |macOS | |
+--------------+----------+--------------------------+------------+-----------+
For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page.
For questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC
FAQ page.
Solution
Adobe recommends users update their software installations to the latest
versions by following the instructions below.
The latest product versions are available to end users via one of the following
methods:
o Users can update their product installations manually by choosing Help >
Check for Updates.
o The products will update automatically, without requiring user
intervention, when updates are detected.
o The full Acrobat Reader installer can be downloaded from the Acrobat Reader
Download Center.
For IT administrators (managed environments):
o Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or
refer to the specific release note version for links to installers.
o Install updates via your preferred methodology, such as AIP-GPO,
bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and
SSH.
Adobe categorizes these updates with the following priority ratings and
recommends users update their installation to the newest version:
+---------------+----------+--------------+-----------+----------+------------+
| Product | Track | Updated | Platform | Priority |Availability|
| | | Versions | | Rating | |
+---------------+----------+--------------+-----------+----------+------------+
|Acrobat DC |Continuous|2018.011.20063|Windows and|2 |Windows |
| | | |macOS | |macOS |
+---------------+----------+--------------+-----------+----------+------------+
|Acrobat Reader |Continuous|2018.011.20063|Windows |2 |Windows |
|DC | | |and macOS | |macOS |
+---------------+----------+--------------+-----------+----------+------------+
| | | | | | |
+---------------+----------+--------------+-----------+----------+------------+
|Acrobat 2017 |Classic |2017.011.30102|Windows |2 |Windows |
| |2017 | |and macOS | |macOS |
+---------------+----------+--------------+-----------+----------+------------+
|Acrobat Reader |Classic |2017.011.30102|Windows |2 |Windows |
|DC 2017 |2017 | |and macOS | |macOS |
+---------------+----------+--------------+-----------+----------+------------+
| | | | | | |
+---------------+----------+--------------+-----------+----------+------------+
|Acrobat DC |Classic |2015.006.30452|Windows |2 |Windows |
| |2015 | |and macOS | |macOS |
+---------------+----------+--------------+-----------+----------+------------+
|Acrobat Reader |Classic |2015.006.30452|Windows |2 |Windows |
|DC |2015 | |and macOS | |macOS |
+---------------+----------+--------------+-----------+----------+------------+
Note:
As noted in this previous announcement, support for Adobe Acrobat 11.x and
Adobe Reader 11.x ended on October 15, 2017. Version 11.0.23 is the final
release for Adobe Acrobat 11.x and Adobe Reader 11.x. Adobe strongly
recommends that you update to the latest versions of Adobe Acrobat DC and Adobe
Acrobat Reader DC. By updating installations to the latest versions, you
benefit from the latest functional enhancements and improved security measures.
Vulnerability Details
+-----------------------+------------------------+---------+------------------+
| Vulnerability Category| Vulnerability Impact |Severity | CVE Number |
+-----------------------+------------------------+---------+------------------+
|Out-of-bounds write |Arbitrary Code Execution|Critical |CVE-2018-12848 |
+-----------------------+------------------------+---------+------------------+
| | | |CVE-2018-12849 |
| | | | |
| | | |CVE-2018-12850 |
| | | | |
| | | |CVE-2018-12801 |
|Out-of-bounds read |Information Disclosure |Important| |
| | | |CVE-2018-12840 |
| | | | |
| | | |CVE-2018-12778 |
| | | | |
| | | |CVE-2018-12775 |
+-----------------------+------------------------+---------+------------------+
Acknowledgements
Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect our
customers:
o Anonymously reported via Trend Micro's Zero Day Initiative (CVE-2018-12778,
CVE-2018-12775)
o Cybellum Technologies LTD (CVE-2018-12801)
o Omri Herscovici via Vulnerability Research Check Point Software
Technologies Ltd. (CVE-2018-12848, CVE-2018-12849, CVE-2018-12850,
CVE-2018-12840)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW6R/KWaOgq3Tt24GAQiM9w/+I602bOkA1aKLsOBdM5CbmKf4FyDyFsaP
pgZyC89Wzh65EU2WETCfz2GudgejV6kFyZyZYEq3YBfITOl+M0HMeUh1u2dbiLg2
Rp232ReG/1/54Xgh5sJXRylm4kb9BdE86ZGW44tWO+izbfELmUY/THDG48jncaZ0
StJNmDifFsmqixNoF17j6D7cvznx92yafzfLcExb13y9+KxTf+DCkh+MxwnBH8tQ
wOBwVZBI+lRPlHJWJBH/+C5UCQWBVL4RvgLhhQehI4xIZAL0wX9oxWCEaSnOkQ14
BZUpAuiR9BcdB1LE4a+enKwooebaGohPwCbFbyrpLlhGsOoq9HKs/2bKBBxALTIQ
5+rMKBFItr9kORAfpA2ShhVBprT5g97lcpB/UZB11YDue8pfuTvZmEJQRTPjmGcL
GfSpgAfRHXGLvfm/zxGQev11k9HYSCcqBxyEjY5tQnoy9bV0AblQve2i0ni/OwCo
2y9KXqAnymy9nFa38eNbBDBIKiXz2AwYBp2Xyi3fur4IaQBL2n4i0+rDgwDl7pbP
lmxtS1Ghi0K6MeW31cxivlBwx8/RaDwjro1oTTZbzHeeVhLDE6KXY/uvFEZWHinB
HqofdJe9Nx3t7/ti7fkMGVbe/1CQdj8vbWCOCzl2x+64y/czEg0XQq9eR18tXb51
ZjudmCnozlI=
=KMnb
-----END PGP SIGNATURE-----