Adobe released a security update for the widely used Acrobat and Reader. This Adobe security bulletin includes a total of 13 CVEs, 9 of which are known to be critical security fixes for arbitrary code execution vulnerabilities found using a vulnerability scanning tool. The exploitation of other vulnerabilities could lead to the disclosure of sensitive information and grant elevated privileges to an attacker.
The critical code execution vulnerabilities in Acrobat and Reader are:
- CVE-2020-3795 : Out-of-bounds write
- CVE-2020-3799 : Stack-based buffer overflow
- CVE-2020-3792, CVE-2020-3793, CVE-2020-3801, CVE-2020-3802, CVE-2020-3805 : Use-after-free errors
- CVE-2020-3807 : Buffer overflow
- CVE-2020-3797 : Memory corruption
A malicious user could abuse the most severe of these vulnerabilities to gain control of an affected system in certain cases. An attacker could install applications; view, change or delete data; create new accounts or delete existing accounts and elevate the existing privileges of a compromised user to launch further attacks. Also, A patch management tool can patch these vulnerabilities. The initial entry point of attackers into target systems could be through spear-phishing emails or crafted websites hosting malicious PDF documents.
Update:
The tech giant has released security updates for five other products namely Adobe Genuine Integrity Service, PhotoShop, Experience Manager, ColdFusion and Bridge. Also, Twenty critical vulnerabilities have been fixed in these products.
Critical Vulnerabilities
The critical vulnerabilities were identified and fixed in Adobe Photoshop, ColdFusion , and Adobe Bridge. Adobe Photoshop contained the highest number of critical bugs in this set of updates, all allowing execution of arbitrary code. However, These critical security holes in Adobe Photoshop were caused due to heap and memory corruption issues, out-of-bounds write issues and other buffer errors.
The issues which contributed to critical arbitrary code execution vulnerabilities in Adobe Bridge were out-of-bounds write and heap-based buffer overflow errors. In Adobe ColdFusion, the critical remote file read vulnerability could lead to unauthorized access of arbitrary files from the Coldfusion install directory, whereas, another critical file inclusion vulnerability could lead to arbitrary code execution of files located in the webroot or its subdirectory.
Few other important vulnerabilities
Adobe Genuine Integrity Service suffers from a privilege escalation vulnerability due to insecure file permissions in the software. Six CVEs in Adobe Photoshop are related to an out-of-bounds read issue which could lead to disclosure of sensitive information. Another sensitive information disclosure issue was identified in Adobe Experience Manager due to a server-side request forgery (SSRF).
We strongly recommend users of Adobe products to install the security updates as soon as possible.
Adobe Security Bulletin Summary for March 2020:
- Product: Adobe Acrobat and Reader
CVE’s/Advisory: APSB20-13, CVE-2020-3804, CVE-2020-3806, CVE-2020-3795, CVE-2020-3799, CVE-2020-3792, CVE-2020-3793, CVE-2020-3801, CVE-2020-3802, CVE-2020-3805, CVE-2020-3800, CVE-2020-3807, CVE-2020-3797 and then CVE-2020-3803
Severity: Critical
Impact: Arbitrary code execution, Information Disclosure, Privilege Escalation
2. Product : Adobe Genuine Integrity Service
CVE’s/Advisory : APSB20-12, CVE-2020-3766
Severity : Important
Impact : Privilege Escalation
3. Product : Adobe Photoshop
CVE’s/Advisory : APSB20-14, CVE-2020-3783, CVE-2020-3784, CVE-2020-3785, CVE-2020-3786, CVE-2020-3787, CVE-2020-3788, CVE-2020-3789 and then CVE-2020-3790
Severity : Critical
Impact : Arbitrary Code Execution, Information Disclosure,
4. Product : Adobe Experience Manager
CVE’s/Advisory : APSB20-15, CVE-2020-3769
Severity : Important
Impact : Sensitive Information Disclosure
5. Product : Adobe ColdFusion
CVE’s/Advisory : APSB20-16, CVE-2020-3761 and then CVE-2020-3794
Severity : Critical
Impact : Arbitrary file read, Arbitrary code execution
6. Product : Adobe Bridge
CVE’s/Advisory : APSB20-17, CVE-2020-9551, CVE-2020-9552
Severity : Critical
Impact : Arbitrary code execution
Also, SanerNow detects these vulnerabilities and automatically fixes them by applying security updates. Furthermore, Download SanerNow and keep your systems updated and secure.