Adobe sends out second fix for critical Reader data leak vulnerability
Adobe has released a second patch to resolve a critical zero-day vulnerability in Adobe Reader after its original fix failed.
The vulnerability, CVE-2019-7089, was patched in Adobe’s February 12 patch release. Buried among 42 other critical bugs, the security flaw was described as a sensitive data leak problem which can lead to information disclosure when exploited.
Adobe’s out-of-schedule patch bulletin impacts Acrobat DC, Acrobat Reader DC, Acrobat 2017 Classic, Acrobat Reader DC Classic 2017, and 2015 versions of Acrobat DC and Acrobat Reader DC on Windows and macOS machines.
Alex Infuhr of Cure53 reported the failed patch to Adobe after discovering a bypass which is able to circumvent the fix, leaving the data leak unresolved.
The critical issue is similar to BadPDF and permits attackers to leverage weaknesses in a content embedding feature of Reader which forces the software to send requests to an attacker-controlled server when a .PDF file is opened.
This technique, described as “phoning home,” can result in threat actors obtaining hashed password values as well as being alerted when a file is active and open.
Adobe’s second patch will hopefully resolve the issue, which has now been issued a new CVE number and is tracked as CVE-2019-7815.
The tech giant is not aware of any reports that the vulnerability is being exploited in the wild but suggests that users update their builds with the new security release to mitigate the risk of exploit.
Previous and related coverage