Adobe has released a patch kit for three products. An extraordinary set of updates fixes more than 80 vulnerabilities in Acrobat and Reader, components of the Experience Manager CMS and Download Manager for Windows.
More than half of new bugs have a critical level of danger.“Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user”, — reported in Adobe updates bulletin.
The largest number of vulnerabilities were closed in Adobe Acrobat/Reader PDF document editors – they received 68 patches, 45 of which correct critical flaws. Six vulnerabilities are related to the ability to write beyond the boundaries of the buffer, 26 are caused by an error in the use of freed memory.
The list also includes categories such as race conditions, data type confusion, buffer overflows, dereferenced dereferencing. All these bugs could lead to the execution of malicious code in the environment of the target product.
Read also: Microsoft and NIST will teach business how to install patches
Slightly less serious vulnerabilities are related to the ability to read outside the allocated memory area, crossite scripting, or unsuccessful implementation of the security mechanism. The exploitation of these bugs threatens the disclosure of confidential information.
Adobe does not have information about the use of any vulnerability in real attacks, however, due to the popularity of Acrobat / Reader among attackers, users are strongly recommended to install the update.
In the program Adobe Download Manager 2.0.0.363 for Windows, developers fixed a serious bug related to incorrect assignment of access rights to files. According to the bulletin, vulnerability CVE-2019-8071 could lead to an escalation of the privileges of the attacker. Information security specialist Eran Shimony found the error and transferred it to Adobe.
Multiple vulnerabilities are covered in the Adobe Experience Manager CMS and the Adobe Experience Manager Forms application platform. Developers have eliminated authentication bypass, cross-site scripting, cross-site request forgery, and other problems. Most of them received a high or medium threat level, however, one error registered as CVE-2019-8088 has a critical status. This vulnerability falls into the category of “command injection”; its operation allows executing malicious code in the system.
Read also: Foxit PDF Reader developers fixed 8 critical vulnerabilities
Weaknesses were found in versions 6.0 through 6.5 of Experience Manager and 6.3 through 6.5 of Experience Manager Forms, however, the vendor fixed only the last three releases of the platform, since builds 6.0, 6.1 and 6.2 have already been removed from support.
By releasing new patches outside the usual schedule, Adobe bypassed Flash Player. The latest patches for this product were released in September 2019 – they closed the vulnerabilities CVE-2019-8069 and CVE-2019-8070, which threatened to execute third-party code.
Solution
Adobe recommends users update their software installations to the latest versions.
The latest product versions are available to end users via one of the following methods:
- Users can update their product installations manually by choosing Help > Check for Updates.
- The products will update automatically, without requiring user intervention, when updates are detected.
- The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.
