Adobe has issued fixes for 47 CVEs, including multiple critical vulnerabilities, less than a week after it released a scheduled set of Patch Tuesday updates.
Bulletin APSB18-09 is rated Priority 1 and fixes critical and important vulnerabilities in Adobe Acrobat and Reader for Windows and MacOS.
According to Adobe, the updates address vulnerabilities “whose successful exploitation could lead to arbitrary code execution in the context of the current user.”
Of the 24 critical CVEs, CVE-2018-4990 is a double-free bug, while CVE-2018-4950 is an out-of-bounds write flaw.
CVE-2018-4953 is a type confusion vulnerability while CVE-2018-4987 is an untrusted pointer dereference bug.
CVE-2018-4947, CVE-2018-4948, CVE-2018-4966, CVE-2018-4968, CVE-2018-4978, CVE-2018-4982, and CVE-2018-4984 are heap overflow vulnerabilities.
The final bunch of 13 vulnerabilities — CVE-2018-4946, CVE-2018-4952, CVE-2018-4954, CVE-2018-4958, CVE-2018-4959, CVE-2018-4961, CVE-2018-4971, CVE-2018-4974, CVE-2018-4977, CVE-2018-4980, CVE-2018-4983, CVE-2018-4988, and CVE-2018-4989 — are use-after-free flaws.
The remaining “important” rated CVEs range from security bypass and out-of-bounds read laws to memory corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA submission.
They could allow information disclosure and security bypass, according to Adobe.
The firm also issued bulletin APSB18-17 on Monday, rated as a Priority 3 and addressing CVE-2018-4946 in Photoshop.
“Adobe has released updates for Photoshop CC for Windows and macOS,” the summary noted.
“These updates resolve a critical vulnerability in Photoshop CC 19.1.3 and earlier 19.x versions, as well as 18.1.3 and earlier 18.x versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.”
The security updates follow last week’s Patch Tuesday release of three bulletins covering Adobe Flash, Creative Cloud and Adobe Connect and fixing five important and critical-rated CVEs.