Four Critical Flaws Patched in Adobe Digital Edition | The first stop for security news | Threatpost

Four Critical Flaws Patched in Adobe Digital Edition

Adobe Digital Edition has four critical bugs enabling arbitrary code execution.

Adobe on Tuesday issued patches for 16 vulnerabilities spanning several of its products. The most serious of those flaws, four critical glitches in Adobe Digital Edition, could enable arbitrary code-execution.

Adobe Digital Editions is an reader software program used for acquiring, managing and reading e-books, digital newspapers and other digital publications. The service has four critical bugs enabling arbitrary code-execution: Three heap-overflow flaws (CVE-2018-12813, CVE-2018-12814 and CVE-2018-12823) and one use-after-free bug (CVE-2018-12822).

“Successful exploitation could lead to arbitrary code execution in the context of the current user,” the company said in an update Tuesday.

In addition, the software program has five important-rated out-of-bounds read flaws that enable information disclosure (CVE-2018-12816, CVE-2018-12818, CVE-2018-12819, CVE-2018-12820 and CVE-2018-12821).

The update impacted Adobe Digitial Edition versions 4.5.8 and below on Windows, Mac and iOS. Adobe said users should update to version 4.5.9 for all three platforms, calling the patches “priority 3.” That means the update resolves flaws “in a product that has historically not been a target for attackers,” according to Adobe.

Jaanus Kääp of Clarified Security was credited with reporting the issues.

Other Patches

Meanwhile, multiple versions of Adobe Experience Manager, Adobe’s content management solution for building websites and mobile apps, had five flaws, including three that are rated as important. The various bugs impacted versions 6.0 through 6.4 of the program.

“These updates resolve two reflected cross-site scripting vulnerabilities rated moderate, and three stored cross-site scripting vulnerabilities rated important that could result in sensitive information disclosure,” said Adobe.

A cross-site scripting flaw that could disclose sensitive information (CVE-2018-15973) was discovered in AEM 6.0 to 6.4; a cross-site scripting bug that could disclose sensitive information (CVE-2018-15972) was in AEM 6.1 to 6.4; and a stored cross-site scripting vulnerability (CVE-2018-15969) was discovered in AEM 6.3 and 6.4.

The two moderate reflected cross-site scripting flaws (CVE-2018-15970  and CVE-2018-15971) exist in its version 6.4. Adobe “recommends users update their installation to the newest version” for each version of the product, giving the problem a “priority 2” severity rating.

Elsewhere, Adobe Technical Communication Suite has an important-rated privilege-escalation bug in versions 1.0.5.1 and below for Windows. This flaw (CVE-2018-15976) stems from insecure library loading, allowing DLL hijacking.

Finally, versions 1.0.5.1 and earlier of Adobe Framemaker for Windows have an important privilege-escalation flaw (CVE-2018-15974) also stemming from insecure library loading. Adobe said users should update to the 2019 release of Adobe Framemaker to resolve the issue.

Last week Adobe posted another update addressing 86 vulnerabilities – more than half of which were critical flaws – in Adobe Acrobat and Reader, its set of services to view, create, and manage PDF files.

Suggested articles

Discussion

  • Ranjan on

    "The update impacted Adobe Digitial Edition versions 4.5.8" there is typo kindly correct it.
  • Ranjan on

    "Adobe Digital Editions is _an_ reader software program used for acquiring," typo error, kindly fix it.
  • Ranjan on

    Also Adobe Reader DC got version 2019.008.20074 readers kindly update it soon.
  • JVingent on

    thank u for this helpful blog. keep up the good work

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.