Security Advisory - November 13, 2018

Zscaler protects against 2 new vulnerabilities for Adobe Flash Player & Acrobat Reader.

Zscaler, working with Microsoft through their MAPP program, has proactively deployed protections for the following 2 vulnerabilities included in the November 2018 Adobe security bulletins. Zscaler will continue to monitor exploits associated with all vulnerabilities in the November release and deploy additional protections as necessary.

APSB18-40 – Security updates available for Adobe Acrobat and Reader.

Adobe has released security update for Adobe Acrobat and Reader for Windows and macOS. This update addresses an important vulnerability.  Successful exploitation could lead to leak of user’s hashed NTLM password.

 Severity: Important

Affected Software

  • Acrobat DC Continuous 2019.008.20080 and earlier versions for Windows and macOS
  • Acrobat Reader DC Continuous 2019.008.20080 and earlier versions for Windows and macOS
  • Acrobat 2017 Classic 2017 2017.011.30105 and earlier versions for Windows and macOS
  • Acrobat Reader 2017 Classic 2017 2017.011.30105 and earlier versions for Windows and macOS
  • Acrobat DC Classic 2015 2015.006.30456 and earlier versions for Windows and macOS
  • Acrobat Reader DC Classic 2015 2015.006.30456 and earlier versions for Windows and macOS

CVE-2018-15979 – Adobe Acrobat Reader Information Disclosure Vulnerability

This vulnerability is due to an incomplete patch of embedded go-to action in a PDF file. Exploitation leads to disclosure of information that can be abused to extract hashed NTLM credentials. The vulnerability exists due to the way Acrobat Reader engine handles certain action dictionaries.  

APSB18-39 – Security updates available for Flash Player.

Adobe has released security update for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address important vulnerability in Adobe Flash Player 31.0.0.122 and earlier versions. Successful exploitation could lead to information disclosure.

 Severity: Important

Affected Software

  • Adobe Flash Player Desktop Runtime 31.0.0.122 and earlier versions for Windows, macOS and Linux
  • Adobe Flash Player for Google Chrome 31.0.0.122 and earlier versions for Windows, macOS, Linux and Chrome OS 
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 31.0.0.122 and earlier versions for Windows 10 and 8.1

CVE-2018-15978 – Adobe Flash Player Out-of-bounds Read vulnerability.

This vulnerability is an instance of Out-of-bounds read vulnerability which leads to information disclosure.