Adobe Security Bulletin

Security updates available for Adobe Acrobat and Reader | APSB19-49

Bulletin ID

Date Published

Priority

APSB19-49

October 15, 2019

2

Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and  important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.    

Affected Versions

Product

Track

Affected Versions

Platform

Acrobat DC 

Continuous 

2019.012.20040 and earlier versions 

Windows & macOS

Acrobat Reader DC

Continuous 

2019.012.20040 and earlier versions 

Windows & macOS

 

 

 

 

Acrobat 2017

Classic 2017

2017.011.30148 and earlier versions  

Windows & macOS

Acrobat Reader 2017

Classic 2017

2017.011.30148 and earlier versions

Windows & macOS

 

 

 

 

Acrobat 2015 

Classic 2015

2015.006.30503 and earlier versions 

Windows & macOS

Acrobat Reader 2015

Classic 2015

2015.006.30503 and earlier versions

Windows & macOS

Solution

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

  • Users can update their product installations manually by choosing Help > Check for Updates.     

  • The products will update automatically, without requiring user intervention, when updates are detected.      

  • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     

For IT administrators (managed environments):     

  • Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.     

  • Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     

   

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

Product

Track

Updated Versions

Platform

Priority Rating

Availability

Acrobat DC

Continuous

2019.021.20047

Windows and macOS

2

Windows    

macOS  

Acrobat Reader DC

Continuous

2019.021.20047

Windows and macOS

2

 

 

 

 

 

 

Acrobat 2017

Classic 2017

2017.011.30150

Windows and macOS

2

Acrobat Reader 2017

Classic 2017

2017.011.30150

Windows and macOS

2

 

 

 

 

 

 

Acrobat 2015

Classic 2015

2015.006.30504

Windows and macOS

2

Acrobat Reader 2015

Classic 2015

2015.006.30504

Windows and macOS

2

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Number
Out-of-Bounds Read   Information Disclosure   Important   

CVE-2019-8164

CVE-2019-8168

CVE-2019-8172

CVE-2019-8173

CVE-2019-8064

CVE-2019-8182

CVE-2019-8184

CVE-2019-8185

CVE-2019-8189

CVE-2019-8163

CVE-2019-8190

CVE-2019-8193

CVE-2019-8194

CVE-2019-8198

CVE-2019-8201

CVE-2019-8202

CVE-2019-8204

CVE-2019-8207

CVE-2019-8216

CVE-2019-8218

CVE-2019-8222

Out-of-Bounds Write  Arbitrary Code Execution    Critical

CVE-2019-8171

CVE-2019-8186

CVE-2019-8165

CVE-2019-8191

CVE-2019-8199

CVE-2019-8206

Use After Free    Arbitrary Code Execution      Critical

CVE-2019-8175

CVE-2019-8176

CVE-2019-8177

CVE-2019-8178

CVE-2019-8179

CVE-2019-8180

CVE-2019-8181

CVE-2019-8187

CVE-2019-8188

CVE-2019-8192

CVE-2019-8203

CVE-2019-8208

CVE-2019-8209

CVE-2019-8210

CVE-2019-8211

CVE-2019-8212

CVE-2019-8213

CVE-2019-8214

CVE-2019-8215

CVE-2019-8217

CVE-2019-8219

CVE-2019-8220

CVE-2019-8221

CVE-2019-8223

CVE-2019-8224

CVE-2019-8225

Heap Overflow  Arbitrary Code Execution      Critical

CVE-2019-8170

CVE-2019-8183

CVE-2019-8197

Buffer Overrun Arbitrary Code Execution      Critical CVE-2019-8166
Cross-site Scripting  Information Disclosure Important    CVE-2019-8160
Race Condition Arbitrary Code Execution   Critical CVE-2019-8162
Incomplete Implementation of Security Mechanism Information Disclosure Important  CVE-2019-8226
Type Confusion Arbitrary Code Execution   Critical

CVE-2019-8161

CVE-2019-8167

CVE-2019-8169

CVE-2019-8200

Untrusted Pointer Dereference Arbitrary Code Execution  Critical

CVE-2019-8174

CVE-2019-8195

CVE-2019-8196

CVE-2019-8205

Acknowledgements

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:    

  • Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-8203, CVE-2019-8208, CVE-2019-8210, CVE-2019-8217, CVE-2019-8219, CVE-2019-8225)
  • Haikuo Xie of Baidu Security Lab working with Trend Micro Zero Day Initiative (CVE-2019-8209, CVE-2019-8223) 
  • hungtt28 of Viettel Cyber Security working with Trend Micro Zero Day Initiative (CVE-2019-8204)
  • Juan Pablo Lopez Yacubian working with Trend Micro Zero Day Initiative (CVE-2019-8172) 
  • Ke Liu of Tencent Security Xuanwu Lab (CVE-2019-8199, CVE-2019-8200, CVE-2019-8201, CVE-2019-8202)
  • L4Nce working with Trend Micro Zero Day Initiative (CVE-2019-8064) 
  • Mat Powell of Trend Micro Zero Day Initiative (CVE-2019-8166, CVE-2019-8175, CVE-2019-8178, CVE-2019-8179, CVE-2019-8180, CVE-2019-8181, CVE-2019-8187, CVE-2019-8188, CVE-2019-8189, CVE-2019-8163, CVE-2019-8190, CVE-2019-8165, CVE-2019-8191)
  • Mateusz Jurczyk of Google Project Zero (CVE-2019-8195, CVE-2019-8196, CVE-2019-8197)
  • peternguyen working with Trend Micro Zero Day Initiative (CVE-2019-8176, CVE-2019-8224) 
  • Steven Seeley (mr_me) of Source Incite working with Trend Micro Zero Day Initiative (CVE-2019-8170, CVE-2019-8171, CVE-2019-8173, CVE-2019-8174)
  • Heige of Knownsec 404 Security Team (http://www.knownsec.com/) (CVE-2019-8160) 
  • Xizsmin and Lee JinYoung of Codemize Security Research Lab (CVE-2019-8218)
  • Mipu94 of SEFCOM Lab, Arizona State University (CVE-2019-8211, CVE-2019-8212, CVE-2019-8213, CVE-2019-8214, CVE-2019-8215) 
  • Esteban Ruiz (mr_me) of Source Incite (CVE-2019-8161, CVE-2019-8164, CVE-2019-8167, CVE-2019-8168, CVE-2019-8169, CVE-2019-8182)
  • Ta Dinh Sung of STAR Labs (CVE-2019-8220, CVE-2019-8221) 
  • Behzad Najjarpour Jabbari, Secunia Research at Flexera (CVE-2019-8222)
  • Aleksandar Nikolic of Cisco Talos. (CVE-2019-8183) 
  • Nguyen Hong Quang (https://twitter.com/quangnh89) of Viettel Cyber Security (CVE-2019-8193)
  • Zhiyuan Wang and willJ from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. (CVE-2019-8185, CVE-2019-8186) 
  • Yangkang(@dnpushme) & Li Qi(@leeqwind) & Yang Jianxiong(@sinkland_) of Qihoo360 CoreSecurity(@360CoreSec) (CVE-2019-8194)
  • Lee JinYoung of Codemize Security Research Lab (http://codemize.co.kr) (CVE-2019-8216) 
  • Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-8205)
  • Zhibin Zhang of Palo Alto Networks (CVE-2019-8206) 
  • Andrew Hart (CVE-2019-8226)
  • peternguyen (meepwn ctf) working with Trend Micro Zero Day Initiative (CVE-2019-8192, CVE-2019-8177) 
  • Haikuo Xie of Baidu Security Lab (CVE-2019-8184)
  • Zhiniang Peng of Qihoo 360 Core security & Jiadong Lu of South China University of Technology (CVE-2019-8162)

Revisions

November 11, 2019: Added acknowledgement for CVE-2019-8195 & CVE-2019-8196.

 

 Adobe

Dapatkan bantuan lebih cepat dan lebih mudah

Pengguna baru?

Adobe MAX 2024

Adobe MAX
Konferensi Kreativitas

14–16 Oktober Miami Beach dan online

Adobe MAX

Konferensi Kreativitas

14–16 Oktober Miami Beach dan online

Adobe MAX 2024

Adobe MAX
Konferensi Kreativitas

14–16 Oktober Miami Beach dan online

Adobe MAX

Konferensi Kreativitas

14–16 Oktober Miami Beach dan online