Adobe has released an out-of-band update to correct several vulnerabilities in Adobe Acrobat and Adobe Reader, just a week before November Patch Tuesday when updates are usually scheduled for release. 14 vulnerabilities have been corrected in the update, including 4 critical vulnerabilities in Acrobat and Reader for both Windows and macOS operating systems. The critical vulnerabilities can be exploited remotely and allow the execution of arbitrary code on vulnerable products in the context of the current user.
The four critical flaws which could all result in RCE are:
- CVE-2020-24430 – Use-after-free vulnerability
- CVE-2020-24435 – Heap-based buffer overflow vulnerability
- CVE-2020-24436 – Out-of-bounds write vulnerability
- CVE-2020-24437 – Use-after-free vulnerability
The remaining 10 vulnerabilities have been rated important (CVE-2020-24433, CVE-2020-24432, CVE-2020-24429, CVE-2020-24427, CVE-2020-24431, and CVE-2020-24428) and moderate severity (CVE-2020-24439, CVE-2020-24426, CVE-2020-24434, CVE-2020-24438). These vulnerabilities could result in local privilege escalation, arbitrary JavaScript execution, dynamic library injection, and information disclosure.
The vulnerabilities affect the following Acrobat and Reader versions:
- Acrobat DC and Acrobat Reader DC Continuous versions 2020.012.20048 and earlier for Windows and macOS
- Acrobat and Acrobat Reader Classic 2020 versions 2020.001.30005 and earlier for Windows and macOS
- Acrobat and Acrobat Reader Classic 2017 versions 2017.011.30175 and earlier for Windows and macOS.
The 14 vulnerabilities have been corrected in the following product releases:
- Acrobat DC and Acrobat Reader DC Continuous version 2020.013.20064
- Acrobat and Acrobat Reader Classic 2020 version 2020.001.30010
- Acrobat and Acrobat Reader Classic 2017 version 2017.011.30180
Adobe is unaware of any of the vulnerabilities being exploited in the wild and does not expect imminent attacks exploiting the flaws. Users of vulnerable versions of Acrobat and Reader can apply the updates manually through the products, although automatic updates will take place when the updates are detected.