Adobe released updated versions of its Acrobat and Reader software on Tuesday that fix fourteen vulnerabilities, four of which are considered critical. These updates should be installed as soon as possible to close the safety holes.
The safety bulletin (APSB20-67) applies to DC Acrobat, DC Acrobat Reader, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017, and Acrobat Reader 2017 for macOS and Windows.
The checkbox corresponds to fourteen CVEs :
|Vulnerability category||Effects of vulnerability||Severity||CVE number|
|Hope-based buffer overflow||Running any code||Critical situation||CVE-2020-24435|
|Incorrect access control||Escalation of local privileges||Important place||CVE-2020-24433|
|Circumventing signature verification||Minimum (definition of depth of protection)||Moderate||CVE-2020-24439|
|Circumventing signature verification||Escalation of local privileges||Important place||CVE-2020-24429|
|Incorrect input check||provision of information||Important place||CVE-2020-24427|
|Bypassing the safety function||Dynamic library injection||Important place||CVE-2020-24431|
|outgoing mail||Running any code||Critical situation||CVE-2020-24436|
|late measurement||provision of information||Moderate||CVE-2020-24426
|Condition of the race||Escalation of local privileges||Important place||CVE-2020-24428|
|Free||Running any code||Critical situation||CVE-2020-24430
|Free||provision of information||Moderate||CVE-2020-24438|
None of the VECs identified so far have been named by the CERT/CC vulnonym bot, which intrigues us. At the time of publication of this article, the latest version of the CVE, called IBM App Connect Enterprise Certified Container Click Hijacking Bug (CVE-2020-4785). (The mouflon, in case you’re wondering, is a wild sheep associated with the islands of Corsica and Sardinia).
Oracle fixes a serious bug in WebLogic Server that could be used without entering a username and password
Four critical vulnerabilities could allow the random execution of code in the context of the current user if they are successfully exploited, Adobe said in its newsletter. This is certainly not desirable from a security point of view, so anyone using the relevant Adobe software would do well to update it immediately.
Read Also: 14 Best Document Management Software of 2020
Adobe usually issues patches on Tuesdays, a day observed by many technology companies, which falls on the second Tuesday of each month. When Register asked Adobe why it chose to release an out-of-band patch on the first Tuesday of the month, a company spokesperson replied that it sometimes happens, but gave no explanation.
While Adobe tends to release regularly scheduled updates for Tuesday’s update/patch, these regularly scheduled security updates are sometimes released on dates unrelated to Tuesday’s update/patch, the spokesperson said.
The standard version of Adobe Reader and Acrobat from November 2020 contains new features, bug fixes, and security fixes. ®