Adobe has released patches to address 26 vulnerabilities in Adobe Acrobat and Adobe Reader, including 11 flaws that have been rated critical. The critical flaws could be exploited to bypass security controls, with 9 of the critical flaws allowing the remote execution of arbitrary code.
The remote code execution vulnerabilities are a mix of out-of-bounds write vulnerabilities (CVE-2020-9693 and CVE-2020-9694), use-after-free vulnerabilities (CVE-2020-9715 and CVE-2020-9722), and buffer errors (CVE-2020-9698, CVE-2020-9699, CVE-2020-9700, CVE-2020-9701, and CVE-2020-9704). The two security bypass vulnerabilities are tracked as CVE-2020-9696 and CVE-2020-9712.
The vulnerabilities affect Windows and macOS versions of the following products:
- Acrobat DC (2020.009.20074 and earlier versions),
- Acrobat 2020 (2020.001.30002)
- Acrobat 2017 (2017.011.30171 and earlier versions)
- Acrobat 2015 (2015.006.30523 and earlier versions)
- Acrobat Reader DC (2020.009.20074 and earlier versions)
- Acrobat Reader 2020 (2020.001.30002)
- Acrobat Reader 2017 (2017.011.30171 and earlier versions)
- Acrobat Reader 2015 (2015.006.30523 and earlier versions)
The remaining 15 vulnerabilities have been rated important and could result in memory leaks, information disclosure, privilege escalation, or be used in a denial-of-service attack.
A patch has also been released to correct a vulnerability in Adobe Lightroom Classic photo editing software. The flaw, tracked as CVE-2020-9724, is due to insecure library loading and could be used to escalate privileges.
Adobe is unaware of any attempts to exploit the vulnerabilities in the wild but urges users of the vulnerable products to update to the latest version as soon as possible.