The vulnerabilities addressed in this month updates affect Adobe Flash Player, Creative Cloud Desktop Application, Adobe Experience Manager, Adobe Acrobat and Reader applications.
None of the security vulnerabilities patched this month were either publicly disclosed or found being actively exploited in the wild.
Adobe Acrobat and Reader (Windows and macOS)
Security researchers from Trend Micro's Zero Day Initiative and Cybellum Technologies have discovered and reported two critical arbitrary code execution vulnerabilities respectively in Acrobat DC and Acrobat Reader DC for Windows and macOS.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!Save My Seat!
According to the Adobe advisory, the flaw (CVE-2018-12808) reported by Cybellum Technologies is an out-of-bounds write flaw, whereas the bug (CVE-2018-12799) reported by Zero Day Initiative is an untrusted pointer dereference vulnerability.
Adobe Flash Player (For Desktops and Browsers)
The latest version of Adobe Flash Player application, i.e., 184.108.40.206, patches a total of five vulnerabilities, including four important information disclosure bugs and one non-critical remote code execution issue.
The remote code execution bug is a privilege escalation issue reported by Kai Song from Tencent, which leads to arbitrary code execution, but has been considered "important" by the company.
All five vulnerabilities affect desktop runtime and Google Chrome versions of Flash Player for Windows, macOS, Linux, and Chrome OS.
Adobe Experience Manager (All Platforms)
The company has also released security patches for its enterprise content management solution, Adobe Experience Manager, to address two cross-site scripting (XSS) vulnerabilities and one input validation bypass flaw.
The XSS flaws could result in information disclosure, while the input validation bypass bug could allow an attacker to modify information.
All the three vulnerabilities have been rated as "moderate" in severity, and affect Experience Manager for all platforms, and users are advised to download the latest version from here as soon as possible.
Creative Cloud Desktop Application (Windows)
Adobe has also patched an important privilege escalation flaw (CVE-2018-5003) in the Creative Cloud Desktop Application installer for Windows.
The vulnerability, which has been patched in the latest version 220.127.116.112, originates from the insecure loading of libraries, leading to DLL hijacking attacks.
Adobe recommends end users and administrators to download and install the latest security patches as soon as possible.