Security update available for Adobe Acrobat and Reader | APSB19-55
Bulletin ID Date Published Priority
APSB19-55 December 10, 2019 2

Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and  important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.    

Affected Versions

Product Track Affected Versions Platform
Acrobat DC  Continuous 

2019.021.20056 and earlier versions  Windows & macOS
Acrobat Reader DC Continuous   2019.021.20056 and earlier versions  Windows & macOS
       
Acrobat 2017 Classic 2017 2017.011.30152 and earlier versions  Windows 
Acrobat 2017 Classic 2017 2017.011.30155 and earlier version macOS
Acrobat Reader 2017 Classic 2017 2017.011.30152 and earlier versions Windows & macOS
       
Acrobat 2015  Classic 2015 2015.006.30505 and earlier versions Windows & macOS
Acrobat Reader 2015 Classic 2015 2015.006.30505 and earlier versions Windows & macOS

Solution

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

  • Users can update their product installations manually by choosing Help > Check for Updates.     

  • The products will update automatically, without requiring user intervention, when updates are detected.      

  • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     

For IT administrators (managed environments):     

  • Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.     

  • Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     

   

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

Product Track Updated Versions Platform Priority Rating Availability
Acrobat DC Continuous 2019.021.20058 Windows and macOS 2

Windows    

macOS  

Acrobat Reader DC Continuous 2019.021.20058
Windows and macOS 2

Windows


macOS

           
Acrobat 2017 Classic 2017 2017.011.30156 Windows and macOS 2

Windows

macOS

Acrobat Reader 2017 Classic 2017 2017.011.30156 Windows and macOS 2

Windows

macOS

           
Acrobat 2015 Classic 2015 2015.006.30508 Windows and macOS 2

Windows

macOS

Acrobat Reader 2015 Classic 2015 2015.006.30508 Windows and macOS 2

Windows

macOS

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Number
Out-of-Bounds Read   Information Disclosure   Important   

CVE-2019-16449

CVE-2019-16456

CVE-2019-16457

CVE-2019-16458

CVE-2019-16461

CVE-2019-16465

Out-of-Bounds Write  Arbitrary Code Execution    Critical

CVE-2019-16450

CVE-2019-16454

Use After Free    Arbitrary Code Execution      Critical

CVE-2019-16445

CVE-2019-16448

CVE-2019-16452

CVE-2019-16459

CVE-2019-16464

CVE-2019-16471

Heap Overflow  Arbitrary Code Execution      Critical CVE-2019-16451
Buffer Error Arbitrary Code Execution      Critical

CVE-2019-16462

CVE-2019-16470

Untrusted Pointer Dereference Arbitrary Code Execution  Critical

CVE-2019-16446

CVE-2019-16455

CVE-2019-16460

CVE-2019-16463

Binary Planting (default folder privilege escalation)  Privilege Escalation Important  CVE-2019-16444
Security Bypass Arbitrary Code Execution Critical CVE-2019-16453

Acknowledgements

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:    

  • Mateusz Jurczyk of Google Project Zero & Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-16451)
  • Honc (章哲瑜) (CVE-2019-16444) 
  • Ke Liu of Tencent Security Xuanwu Lab. (CVE-2019-16445, CVE-2019-16449, CVE-2019-16450, CVE-2019-16454, CVE-2019-16471)
  • Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University (CVE-2019-16446, CVE-2019-16448) 
  • Aleksandar Nikolic of Cisco Talos (CVE-2019-16463)
  • Technical support team of HTBLA Leonding (CVE-2019-16453) 
  • Haikuo Xie of Baidu Security Lab (CVE-2019-16461)
  • Bit of STAR Labs (CVE-2019-16452) 
  • Xinyu Wan and Yiwei Zhang from Renmin University of China (CVE-2019-16455, CVE-2019-16460, CVE-2019-16462)
  • Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-16456) 
  • Zhibin Zhang of Palo Alto Networks (CVE-2019-16457)
  • Qi Deng, Ken Hsu of Palo Alto Networks (CVE-2019-16458) 
  • Lexuan Sun, Hao Cai of Palo Alto Networks (CVE-2019-16459)
  • Yue Guan, Haozhe Zhang of Palo Alto Networks (CVE-2019-16464) 
  • Hui Gao of Palo Alto networks (CVE-2019-16465)
  • Zhibin Zhang, Yue Guan of Palo Alto Networks (CVE-2019-16465)
  • Zhangqing and Zhiyuan Wang from cdsrc of Qihoo 360 (CVE-2019-16470)

 

Revisions

March 26, 2020: Added acknowledgement for CVE-2019-16471, CVE-2019-16470

.