Adobe Warns Windows, MacOS Users of Critical Acrobat and Reader Flaws

adobe acrobat and reader critical flaws

The critical-severity Adobe Acrobat and Reader vulnerabilities could enable arbitrary code execution and are part of a 14-CVE patch update.

Adobe has fixed critical-severity flaws tied to four CVEs in the Windows and macOS versions of its Acrobat and Reader family of application software services. The vulnerabilities could be exploited to execute arbitrary code on affected products.

These critical flaws include a heap-based buffer overflow (CVE-2020-24435), out-of-bounds write glitch (CVE-2020-24436) and two use-after free flaws (CVE-2020-24430 and CVE-2020-24437). The bugs are part of Adobe’s regularly scheduled patches, which overall patched critical-, important- and moderate-severity vulnerabilities tied to 14 CVEs.

Typically Adobe releases its regularly scheduled updates on the second Tuesday of the month. However, “While Adobe strives to release regularly scheduled updates on update Tuesday, occasionally those regularly scheduled security updates are released on non-update Tuesday dates,” an Adobe spokesperson said. “The November 2020 release of Adobe Reader and Acrobat is a standard product release that includes new product features as well as fixes for bugs and security vulnerabilities.”

Beyond critical-severity flaws, Adobe also patched important-severity vulnerabilities tied to six CVEs. These include issue- that allow for local privilege escalation, including an improper access control flaw (CVE-2020-24433), a signature-verification bypass issue (CVE-2020-24429) and a race-condition glitch (CVE-2020-24428).

Other important severity flaws include two improper input-validation issues, with one leading to arbitrary JavaScript execution (CVE-2020-24432) and the other enabling information disclosure (CVE-2020-24427).

Another important-severity flaw stems from a security feature bypass that could allow for dynamic library injection (CVE-2020-24431).

And, moderate-severity flaws tied to four CVEs could allow for information disclosure (CVE-2020-24426, CVE-2020-24434, CVE-2020-24438) and signature-verification bypass (CVE-2020-24439).

Affected versions include Acrobat DC and Acrobat Reader DC Continuous versions 2020.012.20048  and  earlier; (for Windows and macOS); Acrobat and Acrobat Reader Classic 2020 versions 2020.001.30005 and earlier (for Windows and macOS) and Acrobat and Acrobat Reader Classic 2017 versions 2017.011.30175 and earlier (for Windows and macOS).

Users can update to Acrobat DC and Acrobat Reader DC Continuous version 2020.013.20064; Acrobat and Acrobat Reader Classic 2020 version 2020.001.30010 and Acrobat and Acrobat Reader Classic 2017 version 2017.011.30180.

The flaws have a “priority 2” rating, which according to Adobe resolves vulnerabilities “in a product that has historically been at elevated risk.”

“There are currently no known exploits,” according to Adobe. “Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days).”

Users can update their product installations manually by choosing Help > Check for Updates; however, the product will also update automatically, without requiring user intervention, when updates are detected.

The November patches come after a busy October for Adobe. After warning of a critical vulnerability in its Flash Player application for users on Windows, macOS, Linux and ChromeOS operating systems, Adobe later in the month released 18 out-of-band security patches in 10 different software packages, including fixes for critical vulnerabilities that stretch across its product suite. Adobe Illustrator was hit the hardest.

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles