May 14, 2018
A new update is available that provides mitigation for the vulnerabilities described in this page.
The update will be applied automatically. To manually update from Acrobat or Acrobat Reader, choose Help > Check for updates, and then follow the steps in the Updater window to download and install the latest updates.
For more information about the update, see the respective release notes:
- Acrobat DC and Acrobat Reader DC Continuous Track release notes
- Acrobat 2017 and Acrobat Reader 2017 (Classic Track) release notes
- Acrobat DC and Acrobat Reader DC Classic Track (2015 Release) release notes
- Additionally, this release also provides an optional feature lockdown key to suppress PDF actions which result in opening a link. Details here.
A problem in Microsoft’s NT LAN Manager (NTLM) authentication implementation affected Adobe Acrobat DC and Adobe Acrobat Reader DC allowing attackers to redirect a user to a malicious resource outside your organization to obtain the NTLM authentication messages.
Microsoft issued an optional security enhancement late last year that provides customers with the
ability to disable NTLM SSO authentication as a method for public resources. With this fix, Adobe Acrobat DC and Adobe Acrobat Reader DC are not affected by the vulnerability.
However, the mitigation is only available for Windows 10 and Windows Server 2016.
On platforms where Microsoft’s update is not applied or available:
- The vulnerability can be mitigated in Acrobat DC and Reader DC and for PDFs opened inside Internet Explorer by enabling the Protected View. For more information on how to enable the Protected View, see Protected View feature for PDFs (Windows).