Critical Adobe Acrobat and Reader Bugs Allow RCE

adobe august patch tuesday 2020

Adobe patched critical and important-severity flaws tied to 26 CVEs in Acrobat and Reader.

Adobe has plugged 11 critical security holes in Acrobat and Reader, which if exploited could allow attackers to remotely execute code or sidestep security features in the app.

As part of its regularly scheduled security updates, Tuesday, Adobe fixed critical- and important-severity flaws tied to 26 CVEs – all stemming from its popular Acrobat and Reader document-management application – as well as one important-severity CVE in Adobe Lightroom, which is its image manipulation software. Adobe said it is not aware of any exploits in the wild for the vulnerabilities addressed in its update.

Click to register!

One of the more severe critical flaws addressed, a use-after-free glitch (CVE-2020-9715), could allow remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC.

“The specific flaw exists within the handling of ESObject data objects,” Dustin Childs, communications manager for Trend Micro’s Zero Day Initiative (through which the flaw was reported), told Threatpost. “The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.”

Another important-severity flaw, CVE-2020-9697, appears to have existed for 13 years, Childs told Threatpost. The “disclosure of sensitive data” bug could expose sensitive memory information.

Adobe also patched two critical out-of-bounds write flaws (CVE-2020-9693, CVE-2020-9694) that could enable arbitrary code-execution. One of these (CVE-2020-9693) exists within the parsing of JPG2000 images. JPG2000 is an image-coding system that uses compression tactics. An attacker could persuade a user to open a specially crafted PDF document – and this flaw would then enable them to remotely execute code, Childs told Threatpost.

Two other critical flaws (CVE-2020-9696, CVE-2020-9712) could allow attackers to bypass security features in the application. One of these bugs, CVE-2020-9712, could allow attackers to bypass HTML parsing mitigations within Acrobat Pro DC: “Through this, an attacker can trigger the parsing of HTML documents remotely from within Acrobat,” said Childs.

Also patched were five critical buffer errors (CVE-2020-9698, CVE-2020-9699, CVE-2020-9700, CVE-2020-9701, CVE-2020-9704) and a use-after-free (CVE-2020-9722) glitch, all of which could allow code execution.

Beyond the critical-severity flaws, Adobe also issued fixes for 15 important-rated vulnerabilities in Acrobat and Reader. These varied from stack-exhaustion flaws (CVE-2020-9702, CVE-2020-9703) that could allow attackers to launch application denial-of-service (DoS) attacks, to a security-bypass issue (CVE-2020-9714) opening the door to privilege escalation. Eleven important-rated out-of-bounds read flaws (CVE-2020-9723, CVE-2020-9705, CVE-2020-9706, CVE-2020-9707, CVE-2020-9710, CVE-2020-9716, CVE-2020-9717, CVE-2020-9718, CVE-2020-9719, CVE-2020-9720, CVE-2020-9721) were also addressed that could allow for information disclosure.


Affected versions (for Windows and macOS) include: Acrobat DC and Acrobat Reader DC Continuous (versions 2020.009.20074 and earlier); Acrobat and Acrobat Reader Classic 2020 (version 2020.001.30002), Acrobat and Acrobat Reader Classic 2017 (versions 017.011.30171 and earlier) and Acrobat and Acrobat Reader Classic 2015 (versions 2015.006.30523 and earlier).

Users should ensure that they update to versions Acrobat DC/Reader version 2020.012.20041, Acrobat/Reader Classic 2020 version 2020.001.30005, Acrobat/Reader Classic 2017 version 2017.011.30175 and Acrobat/Reader Classic 2015 version 2015.006.30527, respectively. The update is a “priority 2,” which according to Adobe means that it addresses vulnerabilities in a product that has “historically been at elevated risk,” but that there are currently no known exploits.

“Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days),” according to Adobe’s guidance.

Adobe also fixed one insecure library loading flaw (CVE-2020-9724) that could allow for privilege escalation in Lightroom Classic. Users are urged to update to version 9.3 for Lightroom Classic.

This month’s security updates follow a slew of flaws addressed last month. In July, Adobe released various scheduled security updates covering flaws in five different product areas: Creative Cloud Desktop; Media Encoder; Download Manager; Genuine Service; and ColdFusion. Four of these bugs were rated critical in severity, with the others ranked as important. Later in the month, Adobe released a slew of unscheduled patches for critical vulnerabilities – including several critical flaws tied to its popular Photoshop photo-editing software, which allowed adversaries to execute arbitrary code on targeted Windows devices.

“In July alone, Adobe delivered 19 security vulnerability patches, seven of which came after Patch Tuesday,” Richard Melick, senior technical product manager at Automox, said via email. “Whether this is due to the increased usage, and thus data collection, of their products with more folks remote or an increase in vulnerability research, the uptick in releases shows promise for Adobe’s approach to product security. With a patch released every week from Adobe, it also shows that waiting until Patch Tuesday to research and deploy the updates could be leaving endpoints susceptible to known vulnerabilities.”

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us  Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.

Suggested articles