[German]Adobe has released a security update for Acrobat Reader and Acrobat DC for Windows and macOS on February 12, 2019. This security update addresses critical and important vulnerabilities in older program versions.
Details of the update can be found in Adobe Security Bulletin APSB19-07, where Adobe announces that security updates for Adobe Acrobat and Reader for Windows and MacOS have been released. These updates address critical and important vulnerabilities. Successful exploitation can lead to arbitrary code execution in the context of the current user. Here is the table of affected products.
Adobe has provided updates for the affected products, which can be accessed via the links in the table below.
|Acrobat DC||Continuous||2019.010.20091||Windows and macOS|
|Acrobat Reader DC||Continuous||2019.010.20091||Windows and macOS||Windows macOS|
|Acrobat 2017||Classic 2017||2017.011.30120||Windows and macOS||Windows macOS|
|Acrobat Reader DC 2017||Classic 2017||2017.011.30120||Windows and macOS||Windows macOS|
|Acrobat DC||Classic 2015||2015.006.30475||Windows and macOS||Windows macOS|
|Acrobat Reader DC||Classic 2015||2015.006.30475||Windows and macOS||Windows macOS|
At Bleeping Computer you can find this article, which addresses another vulnerability. The Zero-Day, which does not yet have a CVE tracker ID, has been tested with the latest version of Adobe Acrobat Reader DC 19.010.20069, but will most likely also affect all other versions up to this version. Mitja Kolsek, CEO of ACROS Security, the company behind 0patch, writes:
This vulnerability, similar to CVE-2018-4993, the so-called Bad-PDF reported by CheckPoint in April last year, allows a remote attacker to steal user’s NTLM hash included in the SMB request. It also allows a document to “phone home”, i.e., to let the sender know that the user has viewed the document. Obviously, neither of these is desirable.
Whether this vulnerability was closed with the update to Acrobat Reader DC 2019.010.20091 is unknown to me.