Adobe Security Bulletin

Security bulletin for Adobe Acrobat and Reader | APSB19-41

Bulletin ID

Date Published

Priority

APSB19-41

August 13, 2019

2

Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.    

Affected Versions

These updates will address important vulnerabilities in the software. Adobe will be assigning the following  priority ratings to these updates:

Product Track Affected Versions Platform
Acrobat DC  Continuous 

2019.012.20034 and earlier versions  macOS
Acrobat DC  Continuous  2019.012.20035 and earlier versions Windows
Acrobat Reader DC Continuous

2019.012.20034 and earlier versions  macOS
Acrobat Reader DC Continuous  2019.012.20035 and earlier versions  Windows
       
Acrobat DC  Classic 2017 2017.011.30142 and earlier versions   macOS
Acrobat DC  Classic 2017 2017.011.30143 and earlier versions Windows
Acrobat Reader DC Classic 2017 2017.011.30142 and earlier versions   macOS
Acrobat Reader DC Classic 2017 2017.011.30143 and earlier versions Windows
       
Acrobat DC  Classic 2015 2015.006.30497 and earlier versions  macOS
Acrobat DC  Classic 2015 2015.006.30498 and earlier versions Windows
Acrobat Reader DC  Classic 2015 2015.006.30497 and earlier versions  macOS
Acrobat Reader DC Classic 2015 2015.006.30498 and earlier versions Windows

Solution

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

  • Users can update their product installations manually by choosing Help > Check for Updates.     

  • The products will update automatically, without requiring user intervention, when updates are detected.      

  • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     

For IT administrators (managed environments):     

   

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

Product

Track

Updated Versions

Platform

Priority Rating

Availability

Acrobat DC

Continuous

2019.012.20036

Windows and macOS

2

Acrobat Reader DC

Continuous

2019.012.20036

Windows and macOS

2

 

 

 

 

 

 

Acrobat DC

Classic 2017

2017.011.30144

Windows and macOS

2

Acrobat Reader DC

Classic 2017

2017.011.30144

Windows and macOS

2

 

 

 

 

 

 

Acrobat DC

Classic 2015

2015.006.30499

Windows and macOS

2

Acrobat Reader DC

Classic 2015

2015.006.30499

Windows and macOS

2

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Number

Out-of-Bounds Read   

 

 

Information Disclosure   

 

 

Important   

 

 

CVE-2019-8077

CVE-2019-8094

CVE-2019-8095

CVE-2019-8096

CVE-2019-8102

CVE-2019-8103

CVE-2019-8104

CVE-2019-8105

CVE-2019-8106

CVE-2019-8002

CVE-2019-8004

CVE-2019-8005

CVE-2019-8007

CVE-2019-8010

CVE-2019-8011

CVE-2019-8012

CVE-2019-8018

CVE-2019-8020

CVE-2019-8021

CVE-2019-8032

CVE-2019-8035

CVE-2019-8037

CVE-2019-8040

CVE-2019-8043

CVE-2019-8052

Out-of-Bounds Write   

 

 

Arbitrary Code Execution    

 

 

Important  

 

 

CVE-2019-8098

CVE-2019-8100

CVE-2019-7965

CVE-2019-8008

CVE-2019-8009

CVE-2019-8016

CVE-2019-8022

CVE-2019-8023

CVE-2019-8027

Command Injection  Arbitrary Code Execution   Important  CVE-2019-8060

Use After Free   

 

 

Arbitrary Code Execution     

 

 

Important 

 

 

CVE-2019-8003

CVE-2019-8013

CVE-2019-8024

CVE-2019-8025

CVE-2019-8026

CVE-2019-8028

CVE-2019-8029

CVE-2019-8030

CVE-2019-8031

CVE-2019-8033

CVE-2019-8034

CVE-2019-8036

CVE-2019-8038

CVE-2019-8039

CVE-2019-8047

CVE-2019-8051

CVE-2019-8053

CVE-2019-8054

CVE-2019-8055

CVE-2019-8056

CVE-2019-8057

CVE-2019-8058

CVE-2019-8059

CVE-2019-8061

CVE-2019-8257

Heap Overflow 

 

 

Arbitrary Code Execution     

 

 

Important 

 

 

CVE-2019-8066

CVE-2019-8014

CVE-2019-8015

CVE-2019-8041

CVE-2019-8042

CVE-2019-8046

CVE-2019-8049

CVE-2019-8050

Buffer Error  Arbitrary Code Execution       Important   CVE-2019-8048
Double Free  Arbitrary Code Execution      Important    CVE-2019-8044 
Integer Overflow Information Disclosure Important 

CVE-2019-8099

CVE-2019-8101

Internal IP Disclosure Information Disclosure Important  CVE-2019-8097
Type Confusion Arbitrary Code Execution   Important 

CVE-2019-8019 

CVE-2019-8249

CVE-2019-8250

Untrusted Pointer Dereference

 

 

Arbitrary Code Execution 

 

 

Important 

 

 

CVE-2019-8006

CVE-2019-8017

CVE-2019-8045

Insufficiently Robust Encryption Security feature bypass Critical CVE-2019-8237
Type Confusion Information Disclosure Important

CVE-2019-8251

CVE-2019-8252

Acknowledgements

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:    

  • Dhanesh Kizhakkinan of FireEye Inc. (CVE-2019-8066) 
  • Xu Peng and Su Purui from TCA/SKLCS Institute of Software Chinese Academy of Sciences and Codesafe Team of Legendsec at Qi'anxin Group (CVE-2019-8029, CVE-2019-8030, CVE-2019-8031) 
  • (A.K.) Karim Zidani, Independent Security Researcher ; https://imAK.xyz/ (CVE-2019-8097) 
  • Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-8033, CVE-2019-8037)  
  • BUGFENSE Anonymous Bug Bounties https://bugfense.io (CVE-2019-8015) 
  • Haikuo Xie of Baidu Security Lab working with Trend Micro Zero Day Initiative (CVE-2019-8035, CVE-2019-8257) 
  • Wei Lei of STAR Labs (CVE-2019-8009, CVE-2019-8018, CVE-2019-8010, CVE-2019-8011) 
  • Li Qi(@leeqwind) & Wang Lei(@CubestoneW) & Liao Bangjie(@b1acktrac3) of Qihoo360 CoreSecurity(@360CoreSec) (CVE-2019-8012) 
  • Ke Liu of Tencent Security Xuanwu Lab (CVE-2019-8094, CVE-2019-8095, CVE-2019-8096, CVE-2019-8004, CVE-2019-8005, CVE-2019-8006, CVE-2019-8077, CVE-2019-8003, CVE-2019-8020, CVE-2019-8021, CVE-2019-8022, CVE-2019-8023) 
  • Haikuo Xie of Baidu Security Lab (CVE-2019-8032, CVE-2019-8036) 
  • ktkitty (https://ktkitty.github.io) working with Trend Micro Zero Day Initiative (CVE-2019-8014) 
  • Mat Powell of Trend Micro Zero Day Initiative (CVE-2019-8008, CVE-2019-8051, CVE-2019-8053, CVE-2019-8054, CVE-2019-8056, CVE-2019-8057, CVE-2019-8058, CVE-2019-8059) 
  • Mateusz Jurczyk of Google Project Zero (CVE-2019-8041, CVE-2019-8042, CVE-2019-8043, CVE-2019-8044, CVE-2019-8045, CVE-2019-8046, CVE-2019-8047, CVE-2019-8048, CVE-2019-8049, CVE-2019-8050, CVE-2019-8016, CVE-2019-8017) 
  • Michael Bourque (CVE-2019-8007) 
  • peternguyen working with Trend Micro Zero Day Initiative (CVE-2019-8013, CVE-2019-8034) 
  • Simon Zuckerbraun of Trend Micro Zero Day Initiative (CVE-2019-8027) 
  • Steven Seeley (mr_me) of Source Incite working with Trend Micro Zero Day Initiative (CVE-2019-8019) 
  • Steven Seeley (mr_me) of Source Incite working with iDefense Labs(https://vcp.idefense.com/) (CVE-2019-8098, CVE-2019-8099, CVE-2019-8100, CVE-2019-8101, CVE-2019-8102, CVE-2019-8103, CVE-2019-8104, CVE-2019-8106, CVE-2019-7965, CVE-2019-8105) 
  • willJ working with Trend Micro Zero Day Initiative (CVE-2019-8040, CVE-2019-8052) 
  • Esteban Ruiz (mr_me) of Source Incite working with iDefense Labs(https://vcp.idefense.com/) (CVE-2019-8002) 
  • Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-8024, CVE-2019-8061, CVE-2019-8055) 
  • Zhaoyan Xu, Hui Gao of Palo Alto Networks (CVE-2019-8026, CVE-2019-8028) 
  • Lexuan Sun, Hao Cai of Palo Alto Networks (CVE-2019-8025) 
  • Bit of STARLabs working with Trend Micro Zero Day Initiative (CVE-2019-8038, CVE-2019-8039)
  • Zhongcheng Li (CK01) of Topsec Alpha Team (CVE-2019-8060)
  • Jens Müller (CVE-2019-8237)
  • Steven Seeley (mr_me) of Source Incite (CVE-2019-8249, CVE-2019-8250, CVE-2019-8251, CVE-2019-8252)

Revisions

August 14, 2019: Added acknowledgement for CVE-2019-8016 & CVE-2019-8017.

August 22, 2019: Updated CVE id from CVE-2019-7832 to CVE-2019-8066.

September 26, 2019: Added acknowledgement for CVE-2019-8060.

October 23, 2019: Inlcuded details about CVE-2019-8237.

November 19, 2019: Included details about CVE-2019-8249, CVE-2019-8250, CVE-2019-8251, CVE-2019-8252

December 10, 2019: Inlcuded details about CVE-2019-8257.

Get help faster and easier

New user?