Security bulletin for Adobe Acrobat and Reader | APSB19-41
Bulletin ID Date Published Priority
APSB19-41 August 13, 2019 2

Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.    

Affected Versions

These updates will address important vulnerabilities in the software. Adobe will be assigning the following  priority ratings to these updates:

Product Track Affected Versions Platform
Acrobat DC  Continuous 

2019.012.20034 and earlier versions  macOS
Acrobat DC  Continuous  2019.012.20035 and earlier versions Windows
Acrobat Reader DC Continuous

2019.012.20034 and earlier versions  macOS
Acrobat Reader DC Continuous  2019.012.20035 and earlier versions  Windows
       
Acrobat DC  Classic 2017 2017.011.30142 and earlier versions   macOS
Acrobat DC  Classic 2017 2017.011.30143 and earlier versions Windows
Acrobat Reader DC Classic 2017 2017.011.30142 and earlier versions   macOS
Acrobat Reader DC Classic 2017 2017.011.30143 and earlier versions Windows
       
Acrobat DC  Classic 2015 2015.006.30497 and earlier versions  macOS
Acrobat DC  Classic 2015 2015.006.30498 and earlier versions Windows
Acrobat Reader DC  Classic 2015 2015.006.30497 and earlier versions  macOS
Acrobat Reader DC Classic 2015 2015.006.30498 and earlier versions Windows

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page

For questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC FAQ page.

Solution

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

  • Users can update their product installations manually by choosing Help > Check for Updates.     

  • The products will update automatically, without requiring user intervention, when updates are detected.      

  • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     

For IT administrators (managed environments):     

  • Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.     

  • Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     

   

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

Product Track Updated Versions Platform Priority Rating Availability
Acrobat DC Continuous 2019.012.20036 Windows and macOS 2

Windows    

macOS  

Acrobat Reader DC Continuous 2019.012.20036

Windows and macOS 2

Windows



macOS

           
Acrobat DC Classic 2017 2017.011.30144 Windows and macOS 2

Windows

macOS

Acrobat Reader DC Classic 2017 2017.011.30144 Windows and macOS 2

Windows

macOS

           
Acrobat DC Classic 2015 2015.006.30499 Windows and macOS 2

Windows

macOS

Acrobat Reader DC Classic 2015 2015.006.30499 Windows and macOS 2

Windows

macOS

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Number

Out-of-Bounds Read   

 

 

Information Disclosure   

 

 

Important   

 

 

CVE-2019-8077

CVE-2019-8094

CVE-2019-8095

CVE-2019-8096

CVE-2019-8102

CVE-2019-8103

CVE-2019-8104

CVE-2019-8105

CVE-2019-8106

CVE-2019-8002

CVE-2019-8004

CVE-2019-8005

CVE-2019-8007

CVE-2019-8010

CVE-2019-8011

CVE-2019-8012

CVE-2019-8018

CVE-2019-8020

CVE-2019-8021

CVE-2019-8032

CVE-2019-8035

CVE-2019-8037

CVE-2019-8040

CVE-2019-8043

CVE-2019-8052

Out-of-Bounds Write   

 

 

Arbitrary Code Execution    

 

 

Important  

 

 

CVE-2019-8098

CVE-2019-8100

CVE-2019-7965

CVE-2019-8008

CVE-2019-8009

CVE-2019-8016

CVE-2019-8022

CVE-2019-8023

CVE-2019-8027

Command Injection  Arbitrary Code Execution   Important  CVE-2019-8060

Use After Free   

 

 

Arbitrary Code Execution     

 

 

Important 

 

 

CVE-2019-8003

CVE-2019-8013

CVE-2019-8024

CVE-2019-8025

CVE-2019-8026

CVE-2019-8028

CVE-2019-8029

CVE-2019-8030

CVE-2019-8031

CVE-2019-8033

CVE-2019-8034

CVE-2019-8036

CVE-2019-8038

CVE-2019-8039

CVE-2019-8047

CVE-2019-8051

CVE-2019-8053

CVE-2019-8054

CVE-2019-8055

CVE-2019-8056

CVE-2019-8057
CVE-2019-8058

CVE-2019-8059

CVE-2019-8061

Heap Overflow 

 

 

Arbitrary Code Execution     

 

 

Important 

 

 

CVE-2019-8066

CVE-2019-8014

CVE-2019-8015

CVE-2019-8041

CVE-2019-8042

CVE-2019-8046

CVE-2019-8049

CVE-2019-8050

Buffer Error  Arbitrary Code Execution       Important   CVE-2019-8048
Double Free  Arbitrary Code Execution      Important    CVE-2019-8044 
Integer Overflow Information Disclosure Important 

CVE-2019-8099

CVE-2019-8101

Internal IP Disclosure Information Disclosure Important  CVE-2019-8097
Type Confusion Arbitrary Code Execution   Important  CVE-2019-8019 

Untrusted Pointer Dereference

 

 

Arbitrary Code Execution 

 

 

Important 

 

 

CVE-2019-8006

CVE-2019-8017

CVE-2019-8045

Acknowledgements

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:     

  • Dhanesh Kizhakkinan of FireEye Inc. (CVE-2019-8066) 

  • Xu Peng and Su Purui from TCA/SKLCS Institute of Software Chinese Academy of Sciences and Codesafe Team of Legendsec at Qi'anxin Group (CVE-2019-8029, CVE-2019-8030, CVE-2019-8031) 

  • (A.K.) Karim Zidani, Independent Security Researcher ; https://imAK.xyz/ (CVE-2019-8097) 

  • Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-8033, CVE-2019-8037)  

  • BUGFENSE Anonymous Bug Bounties https://bugfense.io (CVE-2019-8015) 

  • Haikuo Xie of Baidu Security Lab working with Trend Micro Zero Day Initiative (CVE-2019-8035) 

  • Wei Lei of STAR Labs (CVE-2019-8009, CVE-2019-8018, CVE-2019-8010, CVE-2019-8011) 

  • Li Qi(@leeqwind) & Wang Lei(@CubestoneW) & Liao Bangjie(@b1acktrac3) of Qihoo360 CoreSecurity(@360CoreSec) (CVE-2019-8012) 

  • Ke Liu of Tencent Security Xuanwu Lab (CVE-2019-8094, CVE-2019-8095, CVE-2019-8096, CVE-2019-8004, CVE-2019-8005, CVE-2019-8006, CVE-2019-8077, CVE-2019-8003, CVE-2019-8020, CVE-2019-8021, CVE-2019-8022, CVE-2019-8023) 

  • Haikuo Xie of Baidu Security Lab (CVE-2019-8032, CVE-2019-8036) 

  • ktkitty (https://ktkitty.github.io) working with Trend Micro Zero Day Initiative (CVE-2019-8014) 

  • Mat Powell of Trend Micro Zero Day Initiative (CVE-2019-8008, CVE-2019-8051, CVE-2019-8053, CVE-2019-8054, CVE-2019-8056, CVE-2019-8057, CVE-2019-8058, CVE-2019-8059) 

  • Mateusz Jurczyk of Google Project Zero (CVE-2019-8041, CVE-2019-8042, CVE-2019-8043, CVE-2019-8044, CVE-2019-8045, CVE-2019-8046, CVE-2019-8047, CVE-2019-8048, CVE-2019-8049, CVE-2019-8050, CVE-2019-8016, CVE-2019-8017) 

  • Michael Bourque (CVE-2019-8007) 

  • peternguyen working with Trend Micro Zero Day Initiative (CVE-2019-8013, CVE-2019-8034) 

  • Simon Zuckerbraun of Trend Micro Zero Day Initiative (CVE-2019-8027) 

  • Steven Seeley (mr_me) of Source Incite working with Trend Micro Zero Day Initiative (CVE-2019-8019) 

  • Steven Seeley (mr_me) of Source Incite working with iDefense Labs(https://vcp.idefense.com/) (CVE-2019-8098, CVE-2019-8099, CVE-2019-8100, CVE-2019-8101, CVE-2019-8102, CVE-2019-8103, CVE-2019-8104, CVE-2019-8106, CVE-2019-7965, CVE-2019-8105) 

  • willJ working with Trend Micro Zero Day Initiative (CVE-2019-8040, CVE-2019-8052) 

  • Esteban Ruiz (mr_me) of Source Incite working with iDefense Labs(https://vcp.idefense.com/) (CVE-2019-8002) 

  • Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-8024, CVE-2019-8061, CVE-2019-8055) 

  • Zhaoyan Xu, Hui Gao of Palo Alto Networks (CVE-2019-8026, CVE-2019-8028) 

  • Lexuan Sun, Hao Cai of Palo Alto Networks (CVE-2019-8025) 

  • Bit of STARLabs working with Trend Micro Zero Day Initiative (CVE-2019-8038, CVE-2019-8039) 

Revisions

August 14, 2019: Added Acknoledgement for CVE-2019-8016 & CVE-2019-8017.

August 22, 2019: Updated CVE id from CVE-2019-7832 to CVE-2019-8066.