Adobe’s Patch Tuesday updates for November are tiny by historical measures, but the company is recommending users apply fixes for its PDF products, Reader and Acrobat for Windows, Flash Player on Windows, macOS, Linux and Chrome OS, and Photoshop for Windows and macOS.
The flaw affecting Reader and Acrobat deserves the highest priority, according to Adobe, in part because proof of concept exploit code is publicly available.
The bug is tracked as CVE-2018-15979 and can be used to leak the hashed password of Microsoft’s NT LAN Manager (NTLM) authentication on systems that use it for Single-Sign On (SSO).
In May researchers at CheckPoint detailed a flaw affecting Adobe’s and Foxit’s PDF readers that could be used to leak an NTLM credential hash. The attack involved embedding remote documents or files within a PDF, and then injecting malicious content that stealthily leaks an NTML credential hash once a target opens a rigged PDF.
Adobe back then published steps to mitigate this vulnerability to block users from following links in PDF documents. It advised admins to follow the same steps to mitigate the newly disclosed vulnerability, CVE-2018-15979.
Adobe has patched the issue in the continuous track for Acrobat and Reader in version 2019.008.20081. It’s also fixed in each products 2017 and 2015 classic tracks.
While Flash Player historically has seen dozens of vulnerabilities fixed each month, this month’s Patch Tuesday-aligned update contains a fix for just one vulnerability. In October, its update contained no security fixes.
The information disclosure flaw affects Flash Player version 18.104.22.168 and earlier across the desktop runtime, and the plugins for Google Chrome, Microsoft Edge, and Internet Explorer 11.
Flash Player usage has been in steady decline over the years as websites move to other technologies and browser makers adjust their respective products to make it more difficult to use Flash Player content. Flash Player will officially reach end-of-life at the end of 2020 with Microsoft, Apple, Google, and Mozilla aligning their end of support for the browser plugin by then too.
Finally, Adobe has an update for a flaw Adobe Photoshop CC that affects versions 19.1.6 and earlier on Windows and macOS.