Zscaler protects against 22 new vulnerabilities for Adobe Flash Player and Acrobat Reader.

Zscaler, working with Microsoft through their MAPP program, has proactively deployed protections for the following 22 vulnerabilities included in the February 2018 Adobe security bulletins. Zscaler will continue to monitor exploits associated with all vulnerabilities in the February release and deploy additional protections as necessary.

APSB18-03 – Security updates available for Adobe Flash Player.

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Severity: Critical
Affected Software

• Adobe Flash Player Desktop Runtime 28.0.0.137 and earlier for Windows, Macintosh and Linux
• Adobe Flash Player for Google Chrome 28.0.0.137 and earlier for Windows, Macintosh, Linux and Chrome OS
• Adobe Flash Player for Microsoft Edge and Internet Explorer 11 28.0.0.137 and earlier for Windows 10 and 8.1

CVE-2018-4878 – Use After Free vulnerability

This vulnerability is an instance of a use after free vulnerability in Primetime SDK. This vulnerability occurs due to dangling pointer in the Primetime SDK related to the handling of listener objects. The vulnerability is triggered by a crafted SWF file which leads to a temporal safety violation if it is possible to perform read / write dereferences on the dangling pointer to a listener object. This instance causes access violation exception because of the computation within the SWF that dereferences the dangling pointer. A constraint for exploitation of this vulnerability is that the memory area of the freed (i.e., old) listener object is reused by another listener object. The mismatch between the old and the new object can provide attacker with an unintended memory access. Successful exploitation could lead to arbitrary code execution.

CVE-2018-4877 – Use After Free vulnerability

This vulnerability is due to a dangling pointer that leads to a use after free vulnerability in the Primetime SDK, related to media player’s quality of service functionality. Specifically, the vulnerability is triggered by a crafted SWF file which leads to a temporal safety violation if it is possible to perform read / write dereferences on the dangling pointer. This instance causes access violation exception because of the computation within the SWF that dereferences the dangling pointer in the QOS provider object. A constraint for exploitation of this vulnerability is that the memory area of the freed (i.e., old) media player object is reused by another media player object. The mismatch between the old and the new object can provide attacker with an unintended memory access. Successful exploitation could lead to arbitrary code execution.

APSB18-02 – Security updates available for Adobe Acrobat and Reader

Adobe has released security updates for Adobe Acrobat and Reader for Windows and Macintosh. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Severity: Medium
Affected Software

• Acrobat DC (Continuous Track) 2018.009.20050 and earlier versions for Windows and Macintosh
• Acrobat Reader DC (Continuous Track) 2018.009.20050 and earlier versions Windows and Macintosh
• Acrobat 2017 2017.011.30070 and earlier versions Windows and Macintosh
• Acrobat Reader 2017 2017.011.30070 and earlier versions Windows and Macintosh
• Acrobat DC (Classic Track) 2015.006.30394 and earlier versions Windows and Macintosh
• Acrobat Reader DC (Classic Track) 2015.006.30394 and earlier versions Windows and Macintosh

CVE-2018-4879 – Out-of-bounds write

The vulnerability is caused by the computation that writes data past the end of the intended buffer; the computation is part of the image conversion module that processes Enhanced Metafile Format Plus (EMF+) data. The vulnerability is a result of out of range pointer offset that is used to access sub-elements of an internal EMF+ data structure. An attacker can potentially leverage the vulnerability to corrupt sensitive data or execute arbitrary code.

CVE-2018-4883 – Out-of-bounds read

This vulnerability occurs because of computation that reads data that is past the end of the target buffer; the computation is part of the image conversion engine that handles Enhanced Metafile Format (EMF) data related. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields related to the width of a string causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2018-4884 – Out-of-bounds read

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the image conversion engine when processing Enhanced Metafile Format (EMF) data that embeds image in the bitmap (BMP) file format. The use of an invalid (out-of-range) pointer offset during access of internal color table data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2018-4885 – Out-of-bounds read

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of Enhanced Metafile Format processing engine (within the image conversion module). The use of an invalid (out-of-range) pointer offset during access of internal data structure that represents EmfPlusPath object consisting of multiple points causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2018-4887 – Out-of-bounds read

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the Unicode mapping module that is invoked when processing Enhanced Metafile Format (EMF) data (during image conversion). The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2018-4892 – Use After Free

This vulnerability is an instance of a use after free vulnerability in the JBIG2 decoder. The mismatch between the old and the new object can provide attacker with an unintended memory access -- potentially leading to code corruption, control-flow hijack, or  code re-use attack. Successful exploitation could lead to arbitrary code execution.

CVE-2018-4896 – Out-of-bounds read

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of image conversion module that handles Enhanced Metafile Format Plus(EMF+) data. The use of an invalid (out-of-range) pointer offset during access of internal data structure array that represents a base-line graphics object causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2018-4900 – Out-of-bounds write

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of JavaScript manipulation of an Annotation object. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2018-4901 – Out-of-bounds write

The vulnerability is caused by the computation that writes data past the end of the intended buffer; the computation is part of the document identity representation. The vulnerability is a result of out of range pointer offset that is used to access sub-elements of an internal buffer data structure. An attacker can potentially leverage the vulnerability to corrupt sensitive data or execute arbitrary code.

CVE-2018-4902 – Use After Free

This vulnerability is an instance of a use after free vulnerability in the rendering engine. The mismatch between the old and the new object can provide attacker with an unintended memory access -- potentially leading to code corruption, control-flow hijack, or information leak attack. Successful exploitation could lead to arbitrary code execution.

CVE-2018-4903 – Out-of-bounds read

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the TIFF processing within XPS module. The use of an invalid (out-of-range) pointer offset during access of internal data structure that represent a string buffer causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2018-4904 – Heap Overflow

This vulnerability is an instance of a heap overflow vulnerability.

CVE-2018-4905 – Out-of-bounds read

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of TIFF processing within the XPS module. The use of an invalid (out-of-range) pointer offset during access of an intermediate color space data structure causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2018-4906 – Out-of-bounds read

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of image conversion module that handles Enhanced Metafile Format Plus (EMF+) data related to graphic object image attributes. The use of an invalid (out-of-range) pointer offset during access of internal data structure fields that store image object causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2018-4910 – Heap Overflow

This vulnerability is an instance of a heap overflow vulnerability in the JavaScript engine. The flawed computation causes an out of bounds memory access, due to improper bounds checking when manipulating an array pointer. Attackers can exploit the vulnerability by using the out of bounds access for unintended writes potentially leading to code corruption, control-flow hijack, or code re-use attack.

CVE-2018-4911 – Use After Free

This vulnerability is an instance of a use after free vulnerability in the JavaScript API related to bookmark functionality. The mismatch between the old and the new object can provide attacker with an unintended memory access -- potentially leading to control-flow hijack, or code re-use attack. Successful exploitation could lead to arbitrary code execution.

CVE-2018-4912 – Out-of-bounds read

This vulnerability occurs as a result of computation that reads data that is past the end of the target buffer; the computation is part of the image conversion module that handles JPEG 2000 data. The use of an invalid (out-of-range) pointer offset during access of internal data structure that represents pixel data buffer causes the vulnerability. A successful attack can lead to sensitive data exposure.

CVE-2018-4913 – Use After Free

This vulnerability is an instance of a use after free vulnerability in the XFA engine, related to DOM manipulation. The mismatch between the old and the new object can provide attacker with an unintended memory access -- potentially leading to code corruption, control-flow hijack, or information leak attack. Successful exploitation could lead to arbitrary code execution.

CVE-2018-4872 – Security bypass

This vulnerability is a security bypass vulnerability that leads to the Acrobat Reader sandbox escape. In this case, the cross call from the sandbox process to the embedded Internet Explorer process allows opening of a URL without a prompt for certain URLs. Due to the vulnerability, it is possible to bypass URL white-listing and re-direct to an arbitrary URL.

CVE-2018-4915 – Out-of-bounds write

The vulnerability is caused by the computation that writes data past the end of the intended buffer; the computation is part of the JavaScript API related to color conversion. The vulnerability is a result of out of range pointer offset that is used to access sub-elements of an internal data structure used during color conversion. An attacker can potentially leverage the vulnerability to corrupt sensitive data or execute arbitrary code.