Multivendor Vulnerability Alert
Adobe Acrobat Plugin Loading Object Mismatch Use-After-Free Arbitrary Code Execution Vulnerability

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
-
A vulnerability in the image conversion module of Adobe Acrobat DC and Adobe Acrobat Reader DC could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
The vulnerability is due to a mismatch between old and new objects by the affected software when loading a plugin, resulting in a dangling pointer that leads to a use-after-free memory error that could allow improper memory access. An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code and compromise the system completely.
Adobe has confirmed the vulnerability and released software updates.
-
To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to access a link or file that submits malicious input to the affected software.
-
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.
Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.
Administrators are advised to use an unprivileged account when browsing the Internet.
Administrators are advised to monitor critical systems.
-
Adobe has confirmed the vulnerability and released a security bulletin at the following link: APSB18-02
-
Adobe has released software updates at the following links:
- Acrobat Reader DC Classic track version 2015.006.30413 for Windows
- Acrobat Reader DC Classic track version 2015.006.30416 for Mac
- Acrobat Reader DC Continuous track version 2018.011.20035 for Windows
- Acrobat Reader DC Continuous track version 2018.011.20035 for Windows
- Acrobat DC Continuous track version 2018.011.20035 for Windows
- Acrobat DC Continuous track version 2018.011.20035 for Mac
- Acrobat DC Classic track version 2015.006.30413 for Windows
- Acrobat DC Classic track version 2015.006.30416 for Mac
- Acrobat Reader 2017 version 2017.011.30078 for Windows
- Acrobat Reader 2017 version 2017.011.30078 for Mac
- Acrobat 2017 version 2017.011.30078 for Windows
- Acrobat 2017 version 2017.011.30078 for Mac
-
Version Description Section Date 1 Initial public release. — 2018-June-14
-
The security vulnerability applies to the following combinations of products.
Primary Products Adobe Reader 2017 (2017.011.30079) Adobe Acrobat DC 2015.006.30403 (Base) | 2017.011.30078 (Base) | 2015.006.30417 (Base) | 2018.011.20038 (Base) Adobe Acrobat Reader DC 2017.011.30078 (Base) | 2015.006.30403 (Base) | 2015.006.30417 (Base) | 2018.011.20038 (Base) Acrobat 2017 2017.011.30079 (Base) Associated Products
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
FIXED SOFTWARE INFORMATION AND LINKS PROVIDED BY SUPPLIERS AND VENDORS ARE FOR REFERENCE ONLY. USERS SHOULD CONTACT THEIR SUPPLIER OR VENDOR FOR UPDATED SOFTWARE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products