Four Critical Flaws Patched in Adobe Digital Edition

Adobe on Tuesday issued patches for 16 vulnerabilities spanning several of its products. The most serious of those flaws, four critical glitches in Adobe Digital Edition, could enable arbitrary code-execution.

Adobe Digital Editions is an reader software program used for acquiring, managing and reading e-books, digital newspapers and other digital publications. The service has four critical bugs enabling arbitrary code-execution: Three heap-overflow flaws (CVE-2018-12813, CVE-2018-12814 and CVE-2018-12823) and one use-after-free bug (CVE-2018-12822).

“Successful exploitation could lead to arbitrary code execution in the context of the current user,” the company said in an update Tuesday.

In addition, the software program has five important-rated out-of-bounds read flaws that enable information disclosure (CVE-2018-12816, CVE-2018-12818, CVE-2018-12819, CVE-2018-12820 and CVE-2018-12821).

The update impacted Adobe Digitial Edition versions 4.5.8 and below on Windows, Mac and iOS. Adobe said users should update to version 4.5.9 for all three platforms, calling the patches “priority 3.” That means the update resolves flaws “in a product that has historically not been a target for attackers,” according to Adobe.

Jaanus Kääp of Clarified Security was credited with reporting the issues.

Meanwhile, multiple versions of Adobe Experience Manager, Adobe’s content management solution for building websites and mobile apps, had five flaws, including three that are rated as important. The various bugs impacted versions 6.0 through 6.4 of the program.

“These updates resolve two reflected cross-site scripting vulnerabilities rated moderate, and three stored cross-site scripting vulnerabilities rated important that could result in sensitive information disclosure,” said Adobe.

A cross-site scripting flaw that could disclose sensitive information (CVE-2018-15973) was discovered in AEM 6.0 to 6.4; a cross-site scripting bug that could disclose sensitive information (CVE-2018-15972) was in AEM 6.1 to 6.4; and a stored cross-site scripting vulnerability (CVE-2018-15969) was discovered in AEM 6.3 and 6.4.

The two moderate reflected cross-site scripting flaws (CVE-2018-15970  and CVE-2018-15971) exist in its version 6.4. Adobe “recommends users update their installation to the newest version” for each version of the product, giving the problem a “priority 2” severity rating.

Elsewhere, Adobe Technical Communication Suite has an important-rated privilege-escalation bug in versions 1.0.5.1 and below for Windows. This flaw (CVE-2018-15976) stems from insecure library loading, allowing DLL hijacking.

Finally, versions 1.0.5.1 and earlier of Adobe Framemaker for Windows have an important privilege-escalation flaw (CVE-2018-15974) also stemming from insecure library loading. Adobe said users should update to the 2019 release of Adobe Framemaker to resolve the issue.

Last week Adobe posted another update addressing 86 vulnerabilities – more than half of which were critical flaws – in Adobe Acrobat and Reader, its set of services to view, create, and manage PDF files.