Adobe issued patches for 43 critical vulnerabilities in Acrobat and Reader – including a fix for a zero-day flaw that researchers at 0patch temporarily fixed on Monday. That bug could enable bad actors to steal victims’ hashed password values.
Overall, Adobe patched 75 important and critical vulnerabilities across its products,including Acrobat Reader DC, Adobe Flash Player, Adobe Coldfusion, and Creative Cloud Desktop Application. The Tuesday morning patches are part of Adobe’s regularly-scheduled security updates.
Adobe said it is not aware that any of these vulnerabilities are being actively exploited.
Acrobat and Reader
Adobe Acrobat and Reader by far had the most vulnerabilities (71 overall) – 43 of which were dubbed critical severity.
Part of Adobe’s patch roundup includes a permanent fix for the critical vulnerability that was temporarily patched on Monday by 0patch, CVE 2019-7089. This zero-day vulnerability in Adobe Reader enabled bad actors to steal victims’ hashed password values, known as “NTLM hashes.”
A proof of concept released by security researcher Alex Inführ, who reported the vulnerability, allowed a PDF document to automatically send a server message block (SMB) request to an attacker’s server as soon as the document is opened. SMB protocols enable an application or user of an application to access files on a remote server. Embedded in these SMB requests are NTLM hashes (NTLM is short for NT LAN Manager).
Two other critical vulnerabilities (CVE-2018-19725 and CVE-2019-7041) allowed a security bypass via privilege escalation, according to Abdul-Aziz Hariri with Zero Day Initiative who is credited with finding them.
Other than a critical integer overflow flaw (CVE-2019-7030) allowing information disclosure, the remaining critical vulnerabilities enable arbitrary code execution. These include buffer errors, out of bounds write flaws, type confusion glitches and use-after-free vulnerabilities.
Impacted versions include Acrobat DC and Acrobat Reader DC Continuous (versions 2019.010.20069 and earlier); Acrobat and Acrobat Reader Classic 2017 (versions 2017.011.30113 and earlier); and Acrobat DC and Reader DC Classic 2015 (versions 2015.006.30464 and earlier). All impacted versions are on the Windows and macOS platforms.
ColdFusion Critical Flaw
Another critical vulnerability (CVE-2019-7091) existed in Adobe’s ColdFusion product, its commercial rapid web application development platform. The flaw exists due to deserialization of untrusted data, allowing arbitrary code execution.
ColdFusion 2018 (update 1 and earlier versions), 2016 (update 7 and earlier versions) and ColdFusion 11 (update 15 and earlier versions) are all impacted. Wang Cheng of Venustech ADLab is credited with discovering the flaw.
Adobe also fixed an important cross-site scripting flaw (CVE-2019-7092) in ColdFusion that could allow information disclosure.
Other patched flaws include an important privilege escalation bug (CVE-2019-7093) in Creative Cloud Desktop Application (versions 22.214.171.1240 and earlier) and an important out-of-bounds read flaw (CVE-2019-7090) that could enable information disclosure in versions of Adobe Flash (including versions 126.96.36.199 and earlier for Desktop Runtime, Google Chrome, Microsoft Edge and IE 11).
February’s scheduled updates topped the number of critical and important vulnerabilities fixed in Adobe’s January regularly scheduled update.
That update fixed two bugs rated important in its Adobe Digital Edition and Adobe Connect products. The two important vulnerabilities include an information-disclosure bug in Adobe’s eBook reader software program, Digital Edition; as well as a session-token exposure bug in its presentation and web conferencing software, Adobe Connect.