Adobe Patch Tuesday updates for November 2018 fixes three flaws in Flash Player, Acrobat and Reader, and Photoshop CC.
The most severe issue is an information disclosure vulnerability, tracked as CVE-2018-15979, due to the availability of the proof-of-concept (PoC) exploit.
The flaw rated as “important severity” affects Adobe Acrobat and Reader for Windows, its exploitation could lead the leak of the user’s hashed NTLM password.
“Adobe has released security updates for Adobe Acrobat and Reader for Windows to resolve an important vulnerability. Successful exploitation could lead to an inadvertent leak of the user’s hashed NTLM password.” reads the advisory published by Adobe.
The vulnerability was discovered by free exploit detection service EdgeSpot, it received a priority rating of “1,” which means that the risk of exploitation is high.
In April 2018, Assaf Baharav, a security expert at Check Point, demonstrated that exploiting a the flaw (CVE-2018-4993) it was possible to use weaponized PDF files to steal Windows credentials, precisely the associated NTLM hashes, without any user interaction.
The attackers just need to trick victims into opening a file, Baharav explained that attackers could take advantage of features natively found in the PDF standard to steal NTLM hashes.
“The attacker can then use this to inject malicious content into a PDF and so when that PDF is opened, the target automatically leaks credentials in the form of NTLM hashes.” wrote Baharav.
The researcher used a specially crafted PDF document for his proof-of-concept.
When a victim would open the PDF document it would automatically contact a remote SMB server controlled by the attacker, this leads to the exposure of the NTLM details in the SMB requests, including the NTLM hash for the authentication process.
“The NTLM details are leaked through the SMB traffic and sent to the attacker’s server which can be further used to cause various SMB relay attacks.” continues the expert.
According to EdgeSpot, Adobe failed to properly address patch the CVE-2018-4993 vulnerability discovered by Check Point.
“In April or May 2018, Check Point released a blog post detailing a NTLM leaking vulnerability on Adobe Reader & Foxit Reader. Later, Adobe released a security advisory claiming the vulnerability was fixed since Acrobat Reader DC 2018.011.20040.” wrote EdgeSpot. “However, we found that only one variant of this vulnerability were successfully patched by Adobe, and the other variant was not actually addressed.”
Adobe also addressed an out-of-bounds read flaw in Flash Player (CVE-2018-15978) that can lead to information disclosure. The flaw affects the Windows, macOS, Linux and Chrome OS versions of Flash Player, the risk of exploitation associated with the issue is very low.
“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address an important vulnerability in Adobe Flash Player 126.96.36.199 and earlier versions. Successful exploitation could lead to information disclosure.” reads the security advisory published by Adobe.
The third flaw addressed by Adobe Patch Tuesday updates for November 2018 is an out-of-bounds read issue that affects Windows and macOS versions of Photoshop CC. The exploitation of the flaw can lead to information disclosure. Adobe credited an anonymous researcher for the flaw, he reported it via Trend Micro’s Zero Day Initiative (ZDI).
“Adobe has released updates for Photoshop CC for Windows and macOS. These updates resolve an important vulnerability in Photoshop CC 19.1.6 and earlier 19.x versions. Successful exploitation could lead to information disclosure.” states the Adobe advisory.
According to Adobe, there is no evidence that any of these flaws addressed with Adobe Patch Tuesday updates for November 2018 have been exploited in attacks in the wild.