Was that November's Patch Tuesday? Already? Oh, no, it's just Adobe issuing 14 emergency security fixes

Critical Acrobat, Reader flaws evidently couldn't wait until next week


Adobe on Tuesday published updated versions of its Acrobat and Reader software to fix fourteen flaws, four of which have been designated "critical." These updates should be installed as soon as possible to close off their vulnerabilities.

The security bulletin (APSB20-67) covers Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017, and Acrobat Reader 2017 for macOS and Windows.

It flags fourteen CVEs:

Vulnerability Category Vulnerability Impact Severity CVE Number
Heap-based buffer overflow
Arbitrary Code Execution           
Critical 

CVE-2020-24435

Improper access control Local privilege escalation 
Important
CVE-2020-24433
Improper input validation Arbitrary JavaScript Execution
Important
CVE-2020-24432
Signature validation bypass
Minimal (defense-in-depth fix)
Moderate
CVE-2020-24439
Signature verification bypass Local privilege escalation
Important 
CVE-2020-24429
Improper input validation Information Disclosure   
Important 
CVE-2020-24427
Security feature bypass Dynamic library injection
Important 
CVE-2020-24431
Out-of-bounds write   
Arbitrary Code Execution       
Critical 
CVE-2020-24436
Out-of-bounds read   
Information Disclosure   
Moderate

CVE-2020-24426

CVE-2020-24434

Race Condition Local privilege escalation
Important 
CVE-2020-24428
Use-after-free     
Arbitrary Code Execution       
Critical 

CVE-2020-24430

CVE-2020-24437

Use-after-free
Information Disclosure
Moderate
CVE-2020-24438

None of the CVEs identified have yet been named by CERT/CC's Vulnonym bot, so we have that to look forward to. At the time this article was filed, the most recent CVE bestowed with a name was an IBM App Connect Enterprise Certified Container click hijacking bug (CVE-2020-4785), dubbed "Whacking Mouflon." (A mouflon, in case you were wondering, is a wild sheep associated with the islands of Corsica and Sardinia.)

An assortment of band-aids/plasters

Oracle patches severe flaw in WebLogic Server that could be exploited 'without the need for a username and password'

READ MORE

The four critical flaws, if successfully exploited, could allow "arbitrary code execution in the context of the current user," Adobe says in its bulletin. That's definitely not desirable from a security perspective, so anyone using affected Adobe software would do well to update immediately.

The vulnerabilities rated "important" and "moderate" shouldn't be discounted as matters of concern. They could allow privilege escalation, arbitrary JavaScript execution, and information disclosure, among other unappealing outcomes.

Adobe generally issues patches on "Patch Tuesday," a date observed by many tech companies that falls on the second Tuesday of every month. The Register asked Adobe why it chose to issue an out-of-band patch on the first Tuesday of the month and a company spokesperson said that happens sometimes but offered no explanation.

"While Adobe strives to release regularly scheduled updates on update/patch Tuesday, occasionally those regularly scheduled security updates are released on non-update/patch Tuesday dates," the spokesperson said.

"The November 2020 release of Adobe Reader and Acrobat is a standard product release that includes new product features as well as fixes for bugs and security vulnerabilities." ®


Biting the hand that feeds IT © 1998–2020