Adobe Security Bulletin

Security bulletin for Adobe Acrobat and Reader | APSB19-41

Bulletin ID	Date Published	Priority
APSB19-41	August 13, 2019	2

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.    

These updates will address important vulnerabilities in the software. Adobe will be assigning the following  priority ratings to these updates:

Product	Track	Affected Versions	Platform
Acrobat DC	Continuous	2019.012.20034 and earlier versions	macOS
Acrobat DC	Continuous	2019.012.20035 and earlier versions	Windows
Acrobat Reader DC	Continuous	2019.012.20034 and earlier versions	macOS
Acrobat Reader DC	Continuous	2019.012.20035 and earlier versions	Windows

Acrobat DC	Classic 2017	2017.011.30142 and earlier versions	macOS
Acrobat DC	Classic 2017	2017.011.30143 and earlier versions	Windows
Acrobat Reader DC	Classic 2017	2017.011.30142 and earlier versions	macOS
Acrobat Reader DC	Classic 2017	2017.011.30143 and earlier versions	Windows

Acrobat DC	Classic 2015	2015.006.30497 and earlier versions	macOS
Acrobat DC	Classic 2015	2015.006.30498 and earlier versions	Windows
Acrobat Reader DC	Classic 2015	2015.006.30497 and earlier versions	macOS
Acrobat Reader DC	Classic 2015	2015.006.30498 and earlier versions	Windows

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

Users can update their product installations manually by choosing Help > Check for Updates.     
The products will update automatically, without requiring user intervention, when updates are detected.     
The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.

For IT administrators (managed environments):     

Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.     
Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

Product	Track	Updated Versions	Platform	Priority Rating	Availability
Acrobat DC	Continuous	2019.012.20036	Windows and macOS	2	Windows     macOS
Acrobat Reader DC	Continuous	2019.012.20036	Windows and macOS	2	Windows macOS

Acrobat DC	Classic 2017	2017.011.30144	Windows and macOS	2	Windows macOS
Acrobat Reader DC	Classic 2017	2017.011.30144	Windows and macOS	2	Windows macOS

Acrobat DC	Classic 2015	2015.006.30499	Windows and macOS	2	Windows macOS
Acrobat Reader DC	Classic 2015	2015.006.30499	Windows and macOS	2	Windows macOS

Vulnerability Category	Vulnerability Impact	Severity	CVE Number
Out-of-Bounds Read	Information Disclosure	Important	CVE-2019-8077 CVE-2019-8094 CVE-2019-8095 CVE-2019-8096 CVE-2019-8102 CVE-2019-8103 CVE-2019-8104 CVE-2019-8105 CVE-2019-8106 CVE-2019-8002 CVE-2019-8004 CVE-2019-8005 CVE-2019-8007 CVE-2019-8010 CVE-2019-8011 CVE-2019-8012 CVE-2019-8018 CVE-2019-8020 CVE-2019-8021 CVE-2019-8032 CVE-2019-8035 CVE-2019-8037 CVE-2019-8040 CVE-2019-8043 CVE-2019-8052
Out-of-Bounds Write	Arbitrary Code Execution	Important	CVE-2019-8098 CVE-2019-8100 CVE-2019-7965 CVE-2019-8008 CVE-2019-8009 CVE-2019-8016 CVE-2019-8022 CVE-2019-8023 CVE-2019-8027
Command Injection	Arbitrary Code Execution	Important	CVE-2019-8060
Use After Free	Arbitrary Code Execution	Important	CVE-2019-8003 CVE-2019-8013 CVE-2019-8024 CVE-2019-8025 CVE-2019-8026 CVE-2019-8028 CVE-2019-8029 CVE-2019-8030 CVE-2019-8031 CVE-2019-8033 CVE-2019-8034 CVE-2019-8036 CVE-2019-8038 CVE-2019-8039 CVE-2019-8047 CVE-2019-8051 CVE-2019-8053 CVE-2019-8054 CVE-2019-8055 CVE-2019-8056 CVE-2019-8057 CVE-2019-8058 CVE-2019-8059 CVE-2019-8061 CVE-2019-8257
Heap Overflow	Arbitrary Code Execution	Important	CVE-2019-8066 CVE-2019-8014 CVE-2019-8015 CVE-2019-8041 CVE-2019-8042 CVE-2019-8046 CVE-2019-8049 CVE-2019-8050
Buffer Error	Arbitrary Code Execution	Important	CVE-2019-8048
Double Free	Arbitrary Code Execution	Important	CVE-2019-8044
Integer Overflow	Information Disclosure	Important	CVE-2019-8099 CVE-2019-8101
Internal IP Disclosure	Information Disclosure	Important	CVE-2019-8097
Type Confusion	Arbitrary Code Execution	Important	CVE-2019-8019 CVE-2019-8249 CVE-2019-8250
Untrusted Pointer Dereference	Arbitrary Code Execution	Important	CVE-2019-8006 CVE-2019-8017 CVE-2019-8045
Insufficiently Robust Encryption	Security feature bypass	Critical	CVE-2019-8237
Type Confusion	Information Disclosure	Important	CVE-2019-8251 CVE-2019-8252

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:    

Dhanesh Kizhakkinan of FireEye Inc. (CVE-2019-8066)
Xu Peng and Su Purui from TCA/SKLCS Institute of Software Chinese Academy of Sciences and Codesafe Team of Legendsec at Qi'anxin Group (CVE-2019-8029, CVE-2019-8030, CVE-2019-8031)
(A.K.) Karim Zidani, Independent Security Researcher ; https://imAK.xyz/ (CVE-2019-8097)
Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-8033, CVE-2019-8037) 
BUGFENSE Anonymous Bug Bounties https://bugfense.io (CVE-2019-8015)
Haikuo Xie of Baidu Security Lab working with Trend Micro Zero Day Initiative (CVE-2019-8035, CVE-2019-8257)
Wei Lei of STAR Labs (CVE-2019-8009, CVE-2019-8018, CVE-2019-8010, CVE-2019-8011)
Li Qi(@leeqwind) & Wang Lei(@CubestoneW) & Liao Bangjie(@b1acktrac3) of Qihoo360 CoreSecurity(@360CoreSec) (CVE-2019-8012)
Ke Liu of Tencent Security Xuanwu Lab (CVE-2019-8094, CVE-2019-8095, CVE-2019-8096, CVE-2019-8004, CVE-2019-8005, CVE-2019-8006, CVE-2019-8077, CVE-2019-8003, CVE-2019-8020, CVE-2019-8021, CVE-2019-8022, CVE-2019-8023)
Haikuo Xie of Baidu Security Lab (CVE-2019-8032, CVE-2019-8036)
ktkitty (https://ktkitty.github.io) working with Trend Micro Zero Day Initiative (CVE-2019-8014)
Mat Powell of Trend Micro Zero Day Initiative (CVE-2019-8008, CVE-2019-8051, CVE-2019-8053, CVE-2019-8054, CVE-2019-8056, CVE-2019-8057, CVE-2019-8058, CVE-2019-8059)
Mateusz Jurczyk of Google Project Zero (CVE-2019-8041, CVE-2019-8042, CVE-2019-8043, CVE-2019-8044, CVE-2019-8045, CVE-2019-8046, CVE-2019-8047, CVE-2019-8048, CVE-2019-8049, CVE-2019-8050, CVE-2019-8016, CVE-2019-8017)
Michael Bourque (CVE-2019-8007)
peternguyen working with Trend Micro Zero Day Initiative (CVE-2019-8013, CVE-2019-8034)
Simon Zuckerbraun of Trend Micro Zero Day Initiative (CVE-2019-8027)
Steven Seeley (mr_me) of Source Incite working with Trend Micro Zero Day Initiative (CVE-2019-8019)
Steven Seeley (mr_me) of Source Incite working with iDefense Labs(https://vcp.idefense.com/) (CVE-2019-8098, CVE-2019-8099, CVE-2019-8100, CVE-2019-8101, CVE-2019-8102, CVE-2019-8103, CVE-2019-8104, CVE-2019-8106, CVE-2019-7965, CVE-2019-8105)
willJ working with Trend Micro Zero Day Initiative (CVE-2019-8040, CVE-2019-8052)
Esteban Ruiz (mr_me) of Source Incite working with iDefense Labs(https://vcp.idefense.com/) (CVE-2019-8002)
Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-8024, CVE-2019-8061, CVE-2019-8055)
Zhaoyan Xu, Hui Gao of Palo Alto Networks (CVE-2019-8026, CVE-2019-8028)
Lexuan Sun, Hao Cai of Palo Alto Networks (CVE-2019-8025)
Bit of STARLabs working with Trend Micro Zero Day Initiative (CVE-2019-8038, CVE-2019-8039)
Zhongcheng Li (CK01) of Topsec Alpha Team (CVE-2019-8060)
Jens Müller (CVE-2019-8237)
Steven Seeley (mr_me) of Source Incite (CVE-2019-8249, CVE-2019-8250, CVE-2019-8251, CVE-2019-8252)

August 14, 2019: Added acknowledgement for CVE-2019-8016 & CVE-2019-8017.

August 22, 2019: Updated CVE id from CVE-2019-7832 to CVE-2019-8066.

September 26, 2019: Added acknowledgement for CVE-2019-8060.

October 23, 2019: Inlcuded details about CVE-2019-8237.

November 19, 2019: Included details about CVE-2019-8249, CVE-2019-8250, CVE-2019-8251, CVE-2019-8252

December 10, 2019: Inlcuded details about CVE-2019-8257.

Adobe Security Bulletin

Summary

Affected Versions

Solution

Vulnerability Details

Acknowledgements

Revisions

Ask the Community

Contact Us