Security Alert (A18-05-04): Multiple Vulnerabilities in Adobe Reader/Acrobat

Description:

Security updates are released for Adobe Reader/Acrobat to address multiple vulnerabilities.  To exploit the vulnerabilities, a remote attacker would entice a targeted user to open a specially crafted PDF file.

Please also note that the support for Adobe Acrobat XI 11.x and Adobe Reader XI 11.x ended on 15.10.2017. Users should arrange software replacement by adopting other supported products as soon as possible.

Affected Systems:

• Adobe Acrobat/Acrobat Reader 2017 2017.011.30079 and earlier versions
• Adobe Acrobat DC/Acrobat Reader DC Consumer 2018.011.20038 and earlier versions
• Adobe Acrobat DC/Acrobat Reader DC Classic 2015 2015.006.30417 and earlier versions

Impact:

A successful exploitation could lead to arbitrary code execution, information disclose or security bypass on an affected system.

Recommendation:

Upgrade Adobe Reader/Acrobat to the following versions to address the issues.

• Acrobat DC 2018.011.20040
• Acrobat Reader DC 2018.011.20040
• Acrobat 2017 2017.011.30080
• Acrobat Reader DC 2017 2017.011.30080
• Acrobat Reader DC (Classic 2015) 2015.006.30418
• Acrobat DC (Classic 2015) 2015.006.30418

The upgrade can be obtained by using the auto-update mechanism or by downloading at the following URLs:

http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Mac

More Information:

https://helpx.adobe.com/security/products/acrobat/apsb18-09.html
https://helpx.adobe.com/acrobat/kb/end-of-support-acrobat-xi-reader-xi.html
https://www.us-cert.gov/ncas/current-activity/2018/05/14/Adobe-Releases-Security-Updates
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4946 (to CVE-2018-4990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4994