Adobe has released security updates to address critical severity vulnerabilities affecting Adobe Acrobat and Reader for Windows and macOS that could enable attackers to execute arbitrary code on vulnerable devices.
In all, the company today addressed 14 security flaws affecting the two products, 10 of them rated as either critical or important severity bugs.
These bugs may allow arbitrary code execution, local privilege escalation, information disclosure, arbitrary JavaScript execution, and dynamic library injection.
Adobe categorized the security updates as priority 2 updates which means that they address vulnerabilities with no public exploits in products that have “historically been at elevated risk.”
The full list of vulnerabilities fixed today is available in the table embedded below, together with their severity ratings and assigned CVE numbers.
| Vulnerability Category | Vulnerability Impact | Severity | CVE Number |
|---|---|---|---|
| Heap-based buffer overflow | Arbitrary Code Execution | Critical | CVE-2020-24435 |
| Improper access control | Local privilege escalation | Important | CVE-2020-24433 |
| Improper input validation | Arbitrary JavaScript Execution | Important | CVE-2020-24432 |
| Signature validation bypass | Minimal (defense-in-depth fix) | Moderate | CVE-2020-24439 |
| Signature verification bypass | Local privilege escalation | Important | CVE-2020-24429 |
| Improper input validation | Information Disclosure | Important | CVE-2020-24427 |
| Security feature bypass | Dynamic library injection | Important | CVE-2020-24431 |
| Out-of-bounds write | Arbitrary Code Execution | Critical | CVE-2020-24436 |
| Out-of-bounds read | Information Disclosure | Moderate | CVE-2020-24426 CVE-2020-24434 |
| Race Condition | Local privilege escalation | Important | CVE-2020-24428 |
| Use-after-free | Arbitrary Code Execution | Critical | CVE-2020-24430 CVE-2020-24437 |
| Use-after-free | Information Disclosure | Moderate | CVE-2020-24438 |
Adobe recommends customers to update the vulnerable products to the latest versions as soon as possible to block attacks that could lead to unpatched installations’ exploitation.
Depending on their preferences, users can update their Adobe Acrobat and Reader products to the latest patched versions using one of the following approaches:
- Users can update their product installations manually by choosing Help > Check for Updates.
- The products will update automatically, without requiring user intervention, when updates are detected.
- The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.
IT admins can also deploy the security updates in managed environments using the enterprise installers available through Adobe’s public FTP server or by using Windows/macOS remote management solutions.
Last month, Adobe patched 18 critical security bugs affecting ten of its Windows and macOS products that could be exploited to execute arbitrary code.
The software products patched by Adobe in October include Adobe Creative Cloud Desktop Application, Adobe InDesign, Adobe Media Encoder, Adobe Premiere Pro, Adobe Photoshop, Adobe After Effects, Adobe Animate, Adobe Dreamweaver, Adobe Illustrator, and Marketo.
In October, the company also addressed a critical Adobe Flash Player remote code execution vulnerability that could be exploited by simply visiting a maliciously crafted website.