Adobe tackles critical code execution vulnerabilities in Acrobat, Reader
Adobe’s latest security update has tackled a set of critical and important bugs in Acrobat and Reader.
On Tuesday, the company issued its standard monthly round of fixes, the majority of which relate to the popular PDF viewing and editing software.
In total, 26 vulnerabilities have been resolved, 11 of which are deemed critical and could lead to remote code execution.
The patches have been created for Acrobat DC, Acrobat Reader DC, Acrobat and Classic 2020, Acrobat Reader 2020, Acrobat/Reader 2017, and Acrobat/Reader 2015 on Windows and macOS machines.
Two critical vulnerabilities (CVE-2020-9693, CVE-2020-9694) are out-of-bounds write security flaws that lead to arbitrary code execution if exploited. Two further critical bugs (CVE-2020-9696, CVE-2020-9712) are security bypass problems that can be exploited to circumvent existing security controls.
Arbitrary code vulnerabilities account for seven of the critical vulnerabilities resolved in the Acrobat and Reader update. The first five (CVE-2020-9698, CVE-2020-9699, CVE-2020-9700, CVE-2020-9701, and CVE-2020-9704) are buffer issues, whereas the remaining two (CVE-2020-9715, CVE-2020-9722) are use-after-free flaws that can also lead to arbitrary code execution in the context of the current user.
The important vulnerabilities range from sensitive data exposure, security bypass, stack exhaustion, and out-of-bounds read problems. Adobe says that if exploited, these issues could result in memory leaks to information disclosure and application denial-of-service.
In addition to the main security update, the tech giant also fixed a single vulnerability in Lightroom Classic, versions 126.96.36.199 and earlier, on Windows machines. Tracked as CVE-2020-9724, the insecure library loading issue could be abused for privilege escalation purposes.
It is recommended that users accept automatic updates to apply the new set of patches.
Adobe thanked researchers from Fortinet’s FortiGuard Labs, Qihoo 360, Offensive Security and iDefense Labs, and Palo Alto Networks, among others.
In July, Adobe released an out-of-band patch to resolve 13 vulnerabilities — 12 of which deemed critical — impacting Photoshop, Prelude, and Bridge. The fixes relate to out-of-bounds read and write issues leading to arbitrary code execution attacks.
Over Patch Tuesday, Microsoft released a massive security update tackling 120 vulnerabilities. In total, 17 vulnerabilities are considered critical, and two are considered zero-day vulnerabilities that are being actively exploited in the wild.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0