Adobe issues patches for 36 vulnerabilities in DNG, Reader, Acrobat

May’s patch round includes fixes for remote code execution flaws.

Adobe's cloud pivot: What we've learned
105:16:40

Adobe has released security patches to resolve 36 vulnerabilities present in DNG, Reader, and Acrobat software. 

Security 101

How to protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

Read More

On Tuesday, the software giant issued two security advisories (1, 2) detailing the bugs, the worst of which can be exploited by attackers to trigger remote code execution attacks and information leaks. 

The first set of patches relate to Adobe Acrobat and Reader for Windows and macOS, including  Acrobat / Acrobat Reader versions 2015 and 2017, as well as Acrobat and Acrobat Reader DC. 

In total, 12 critical security flaws have been resolved. Six of the bugs, a single heap overflow problem (CVE-2020-9612), two out-of-bounds write errors (CVE-2020-9597, CVE-2020-9594), two buffer overflow issues (CVE-2020-9605, CVE-2020-9604), and two use-after-free vulnerabilities (CVE-2020-9607, CVE-2020-9606) can all lead to arbitrary code execution in the context of the current user. 

See also: Gartner slices 2020 worldwide IT spending prediction to $3.4 trillion due to coronavirus

The remaining problems, now patched, include a race condition error (CVE-2020-9615) and four security bypass bugs (CVE-2020-9614, CVE-2020-9613, CVE-2020-9596, CVE-2020-9592). 

12 vulnerabilities, deemed important, were also disclosed in Acrobat and Reader. Null pointer, stack exhaustion, out-of-bounds read, and invalid memory access issues have been patched. If exploited, the bugs can be weaponized for information disclosure and application denial-of-service. 

Adobe's DNG Software Development Kit (SDK), versions 1.5 and earlier, is the subject of the second security advisory. 

The worst vulnerabilities are four heap overflow issues (CVE-2020-9589, CVE-2020-9590 , CVE-2020-9620, CVE-2020-9621) that can all lead to remote code execution attacks. 

In addition, eight out-of-bounds read problems in the software have also been fixed (CVE-2020-9622, CVE-2020-9623, CVE-2020-9624, CVE-2020-9625, CVE-2020-9626, CVE-2020-9627, CVE-2020-9628, CVE-2020-9629). If exploited, these issues can lead to information disclosure.

CNET: That old Android phone might not be safe to use: 6 things to consider

Google Project Zero's security team reported the out-of-bounds issues. The team says that in particular contexts, the security flaws may also lead to system crashes. 

Users should download or accept automatic updates to their software builds to mitigate the risk of exploit. 

Adobe thanked researchers working with Trend Micro's Zero Day Initiative, Cisco Talos, iDefense Labs, and Google Project Zero, among others, for reporting the vulnerabilities. 

TechRepublic: BlackBerry Bootcamp boosts university applied computing with cybersecurity program

Microsoft, too, has issued its customary monthly security update. In total, 111 vulnerabilities have been resolved across 12 products, the most severe of which being remote code execution bugs. 

Last month, Adobe released an out-of-band patch to resolve 35 severe security issues in Bridge, Illustrator, and Magento. 25 of the security flaws were deemed critical and could lead to information leaks and code execution. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0