Adobe sends out second fix for critical Reader data leak vulnerability
Adobe has released a second patch to resolve a critical zero-day vulnerability in Adobe Reader after its original fix failed.
The vulnerability, CVE-2019-7089, was patched in Adobe's February 12 patch release. Buried among 42 other critical bugs, the security flaw was described as a sensitive data leak problem which can lead to information disclosure when exploited.
Security
Adobe's out-of-schedule patch bulletin impacts Acrobat DC, Acrobat Reader DC, Acrobat 2017 Classic, Acrobat Reader DC Classic 2017, and 2015 versions of Acrobat DC and Acrobat Reader DC on Windows and macOS machines.
CNET: California bill would require companies to let you know if your passport number is stolen
Alex Infuhr of Cure53 reported the failed patch to Adobe after discovering a bypass which is able to circumvent the fix, leaving the data leak unresolved.
The critical issue is similar to BadPDF and permits attackers to leverage weaknesses in a content embedding feature of Reader which forces the software to send requests to an attacker-controlled server when a .PDF file is opened.
TechRepublic: 5 workplace technologies that cause the most employee data breaches
This technique, described as "phoning home," can result in threat actors obtaining hashed password values as well as being alerted when a file is active and open.
Adobe's second patch will hopefully resolve the issue, which has now been issued a new CVE number and is tracked as CVE-2019-7815.
The tech giant is not aware of any reports that the vulnerability is being exploited in the wild but suggests that users update their builds with the new security release to mitigate the risk of exploit.
See also: Adobe's massive patch update fixes critical Acrobat, Reader bugs