If a user visited a malicious website, opened a malicious advertiser tag, or browsed to a malicious URL within an ad unit, an attacker could exploit this issue and potentially execute arbitrary code with the user's elevated privileges. Adobe is aware of limited, targeted attacks attempting to exploit this issue which have been reported in the media. Adobe is monitoring these reports closely and investigating the issue. Adobe recommends applying the indicated update to address this issue. Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction. If a user visited a malicious website, opened a malicious advertiser tag, or browsed to a malicious URL within an ad unit, an attacker could exploit this issue and potentially execute arbitrary code with the user's elevated privileges. Adobe is aware of limited, targeted attacks attempting to exploit this issue which have been reported in the media. Adobe is monitoring these reports closely and investigating the issue. Adobe recommends applying the indicated update to address this issue. Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction

Vulnerability details

If a user visited a malicious website, opened a malicious advertiser tag, or browsed to a malicious URL within an ad unit, an attacker could exploit this issue and potentially execute arbitrary code with the user's elevated privileges. Adobe is aware of limited, targeted attacks attempting to exploit this issue which have been reported in the media. Adobe is monitoring these reports closely and investigating the issue. Adobe recommends applying the indicated update to address this issue. Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction.

Benefits of Update 14 (and Earlier) and Update 4 (and Earlier)

Adobe is aware of limited, targeted attacks attempting to exploit this issue which have been reported in the media. Adobe is monitoring these reports closely and investigating the issue.
Adobe recommends applying the indicated update to address this issue. Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction

Summary of Update 14

The issue addressed by this update is a memory corruption vulnerability in Adobe Acrobat and Reader. This issue may allow an attacker to execute arbitrary code on the system with elevated privileges by exploiting a use-after-free condition. The vulnerability is reported to exist in all Adobe Acrobat and Reader versions from 12.1.0 and earlier, including 11.0.21 and earlier, 10.1.13 and earlier, 9.4 and earlier, 9.3 and earlier, 8.2 and earlier, 7.1 and earlier, 6.0 through 6.1 and 5th edition through 9th edition for Windows running on all supported operating systems including Windows XP SP2 or later, Vista SP2 or later, 7 SP2 or later, 8 or 8.1 (32-bit & 64-bit), 32 bit only: Windows Server 2003 SP1 (32-bit) running on 32 bit only: Windows Server 2008 R2 (64-bit)

Products Affected

Adobe Acrobat, Adobe Acrobat Reader DC, Adobe Flash Player for Windows and Macintosh, Adobe Flash Player for Linux, Adobe Reader DC and Acrobat DC

Credit card number disclosure vulnerability

If a user visited a malicious website, opened a malicious advertiser tag, or browsed to a malicious URL within an ad unit, an attacker could exploit this issue and potentially execute arbitrary code with the user's elevated privileges. Adobe is aware of limited, targeted attacks attempting to exploit this issue which have been reported in the media. Adobe is monitoring these reports closely and investigating the issue. Adobe recommends applying the indicated update to address this issue. Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction. If a user visited a malicious website, opened a malicious advertiser tag, or browsed to a malicious URL within an ad unit, an attacker could exploit this issue and potentially execute arbitrary code with the user's elevated privileges. Adobe is aware of limited, targeted attacks attempting to exploit this issue which have been reported in the media. Adobe is monitoring these reports closely and investigating the issue. Adobe recommends applying the indicated update to address this issue. Update 14 (and earlier) and Update 4 (and earlier) are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary file system read. Exploitation of this issue does not require user interaction

Timeline

Published on: 10/14/2022 20:15:00 UTC
Last modified on: 10/14/2022 20:31:00 UTC

References