Adobe splats bucketful of bugs in Acrobat and Reader
If you thought that Adobe skipped this month’s Patch Tuesday because there were no immediate vulnerabilities to fix, you were wrong: a week later the company dropped security updates for several of its products, including Acrobat and Reader and the Download Manager.
All in all, 82 security holes – most of which are critical – have been plugged. The good news is that none are under active exploitation.
The updates
The update for Adobe Acrobat and Reader – the most popular PDF reader on the market, which also integrates into web browsers as a plugin – is arguably the most important one. It fixes a whooping 45 critical code execution flaws and 21 less critical information disclosure vulnerabilities.
The flaws can be triggered by opening a specially crafted PDF document or accessing a malicious web page.
The critical ones could allow attackers to execute code on the underlying system. Depending on the privileges associated with the user active at the time of the attack, they could achieve total control of the system. (This is why applying the principle of least privilege to all systems and services is important.)
Among the fixed RCEs is CVE-2019-8183, discovered by Aleksandar Nikolic of Cisco Talos and outlined here.
The Adobe Experience Manager update carries a number of fixes, including that for an RCE (CVE-2019-8088).
The Adobe Experience Manager Forms update fixes only one flaw that could lead to sensitive information disclosure.
Finally, the Adobe Download Manager update (just for Windows) plugs a bug that could be exploited to achieve privilege escalation.
While the Adobe Download Manager is designed to remove itself from the system after after use at the next computer restart, we know that many users don’t restart their machines that often. Those should check whether a potentially vulnerable version of the utility (v2.0.0.363) is still present on the system, and remove it if it’s there.