Adobe patched critical and important-severity flaws tied to 26 CVEs in Acrobat and Reader.
Adobe has plugged 11 critical security holes in Acrobat and Reader, which if exploited could allow attackers to remotely execute code or sidestep security characteristics in the app.
As section of its frequently scheduled security updates, Tuesday, Adobe fixed critical- and critical-severity flaws tied to 26 CVEs – all stemming from its well-known Acrobat and Reader doc-administration application – as properly as one particular critical-severity CVE in Adobe Lightroom, which is its impression manipulation application. Adobe reported it is not mindful of any exploits in the wild for the vulnerabilities resolved in its update.
One of the a lot more severe critical flaws resolved, a use-following-no cost glitch (CVE-2020-9715), could enable distant attackers to execute arbitrary code on impacted installations of Adobe Acrobat Reader DC.
“The specific flaw exists in just the handling of ESObject facts objects,” Dustin Childs, communications supervisor for Craze Micro’s Zero Day Initiative (by means of which the flaw was documented), told Threatpost. “The issue results from the lack of validating the existence of an object prior to doing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current procedure.”
A further crucial-severity flaw, CVE-2020-9697, appears to have existed for 13 a long time, Childs advised Threatpost. The “disclosure of delicate data” bug could expose sensitive memory details.
Adobe also patched two critical out-of-bounds write flaws (CVE-2020-9693, CVE-2020-9694) that could help arbitrary code-execution. A single of these (CVE-2020-9693) exists in the parsing of JPG2000 pictures. JPG2000 is an graphic-coding system that makes use of compression ways. An attacker could persuade a user to open a specifically crafted PDF doc – and this flaw would then help them to remotely execute code, Childs advised Threatpost.
Two other critical flaws (CVE-2020-9696, CVE-2020-9712) could permit attackers to bypass security functions in the application. A person of these bugs, CVE-2020-9712, could allow attackers to bypass HTML parsing mitigations inside of Acrobat Pro DC: “Through this, an attacker can cause the parsing of HTML paperwork remotely from within Acrobat,” explained Childs.
Also patched were being five critical buffer problems (CVE-2020-9698, CVE-2020-9699, CVE-2020-9700, CVE-2020-9701, CVE-2020-9704) and a use-soon after-free (CVE-2020-9722) glitch, all of which could enable code execution.
Over and above the critical-severity flaws, Adobe also issued fixes for 15 important-rated vulnerabilities in Acrobat and Reader. These various from stack-exhaustion flaws (CVE-2020-9702, CVE-2020-9703) that could make it possible for attackers to launch application denial-of-company (DoS) attacks, to a security-bypass issue (CVE-2020-9714) opening the door to privilege escalation. Eleven critical-rated out-of-bounds go through flaws (CVE-2020-9723, CVE-2020-9705, CVE-2020-9706, CVE-2020-9707, CVE-2020-9710, CVE-2020-9716, CVE-2020-9717, CVE-2020-9718, CVE-2020-9719, CVE-2020-9720, CVE-2020-9721) ended up also tackled that could make it possible for for data disclosure.
Affected variations (for Windows and macOS) include things like: Acrobat DC and Acrobat Reader DC Constant (versions 2020.009.20074 and before) Acrobat and Acrobat Reader Traditional 2020 (variation 2020.001.30002), Acrobat and Acrobat Reader Common 2017 (versions 017.011.30171 and earlier) and Acrobat and Acrobat Reader Classic 2015 (variations 2015.006.30523 and previously).
Customers must make certain that they update to variations Acrobat DC/Reader version 2020.012.20041, Acrobat/Reader Classic 2020 model 2020.001.30005, Acrobat/Reader Traditional 2017 variation 2017.011.30175 and Acrobat/Reader Common 2015 model 2015.006.30527, respectively. The update is a “priority 2,” which in accordance to Adobe indicates that it addresses vulnerabilities in a product that has “historically been at elevated possibility,” but that there are at this time no acknowledged exploits.
“Based on prior expertise, we do not anticipate exploits are imminent. As a best exercise, Adobe endorses directors put in the update shortly (for example, within 30 days),” according to Adobe’s direction.
Adobe also fixed a person insecure library loading flaw (CVE-2020-9724) that could permit for privilege escalation in Lightroom Classic. Buyers are urged to update to model 9.3 for Lightroom Vintage.
This month’s security updates stick to a slew of flaws tackled very last month. In July, Adobe released many scheduled security updates masking flaws in five various item locations: Creative Cloud Desktop Media Encoder Down load Supervisor Legitimate Service and ColdFusion. Four of these bugs had been rated critical in severity, with the some others ranked as essential. Later in the month, Adobe unveiled a slew of unscheduled patches for critical vulnerabilities – together with numerous critical flaws tied to its preferred Photoshop picture-modifying program, which permitted adversaries to execute arbitrary code on targeted Windows units.
“In July on your own, Adobe delivered 19 security vulnerability patches, 7 of which arrived after Patch Tuesday,” Richard Melick, senior specialized merchandise supervisor at Automox, mentioned through email. “Whether this is owing to the enhanced use, and hence details collection, of their products and solutions with additional folks remote or an increase in vulnerability investigation, the uptick in releases displays guarantee for Adobe’s strategy to product security. With a patch launched each individual week from Adobe, it also reveals that ready until finally Patch Tuesday to investigation and deploy the updates could be leaving endpoints susceptible to regarded vulnerabilities.”
Complimentary Threatpost Webinar: Want to understand a lot more about Private Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Private Computing Roundtable” delivers major cloud-security gurus from Microsoft and Fortanix together to discover how Confidential Computing is a match changer for securing dynamic cloud information and blocking IP exposure. Sign up for us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software package architect, Microsoft and Dr Richard Searle, security architect, Fortanix – each with the Private Computing Consortium. Register Now.