Adobe has released security patches to resolve 36 vulnerabilities present in DNG, Reader, and Acrobat software.
On Tuesday, the software giant issued two security advisories (1, 2) detailing the bugs, the worst of which can be exploited by attackers to trigger remote code execution attacks and information leaks.
The first set of patches relate to Adobe Acrobat and Reader for Windows and macOS, including Acrobat / Acrobat Reader versions 2015 and 2017, as well as Acrobat and Acrobat Reader DC.
In total, 12 critical security flaws have been resolved. Six of the bugs, a single heap overflow problem (CVE-2020-9612), two out-of-bounds write errors (CVE-2020-9597, CVE-2020-9594), two buffer overflow issues (CVE-2020-9605, CVE-2020-9604), and two use-after-free vulnerabilities (CVE-2020-9607, CVE-2020-9606) can all lead to arbitrary code execution in the context of the current user.
The remaining problems, now patched, include a race condition error (CVE-2020-9615) and four security bypass bugs (CVE-2020-9614, CVE-2020-9613, CVE-2020-9596, CVE-2020-9592).
12 vulnerabilities, deemed important, were also disclosed in Acrobat and Reader. Null pointer, stack exhaustion, out-of-bounds read, and invalid memory access issues have been patched. If exploited, the bugs can be weaponized for information disclosure and application denial-of-service.
Adobe's DNG Software Development Kit (SDK), versions 1.5 and earlier, is the subject of the second security advisory.
The worst vulnerabilities are four heap overflow issues (CVE-2020-9589, CVE-2020-9590 , CVE-2020-9620, CVE-2020-9621) that can all lead to remote code execution attacks.
In addition, eight out-of-bounds read problems in the software have also been fixed (CVE-2020-9622, CVE-2020-9623, CVE-2020-9624, CVE-2020-9625, CVE-2020-9626, CVE-2020-9627, CVE-2020-9628, CVE-2020-9629). If exploited, these issues can lead to information disclosure.
Google Project Zero's security team reported the out-of-bounds issues. The team says that in particular contexts, the security flaws may also lead to system crashes.
Users should download or accept automatic updates to their software builds to mitigate the risk of exploit.
Adobe thanked researchers working with Trend Micro's Zero Day Initiative, Cisco Talos, iDefense Labs, and Google Project Zero, among others, for reporting the vulnerabilities.
Microsoft, too, has issued its customary monthly security update. In total, 111 vulnerabilities have been resolved across 12 products, the most severe of which being remote code execution bugs.
Last month, Adobe released an out-of-band patch to resolve 35 severe security issues in Bridge, Illustrator, and Magento. 25 of the security flaws were deemed critical and could lead to information leaks and code execution.
Previous and related coverage
- Zeus Sphinx revamped as coronavirus relief payment attack wave continues
- WordPress plugin Page Builder by SiteOrigin patched against code execution attacks
- Android app promised to serve news updates, served ESET with a DDoS attack instead
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0