Security Update available for Adobe Acrobat and Reader | APSB20-24
Bulletin ID Date Published Priority
APSB20-24 May 12, 2020 2

Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user. 

Affected Versions

Product Track Affected Versions Platform
Acrobat DC  Continuous 

2020.006.20042 and earlier versions  Windows & macOS
Acrobat Reader DC Continuous  2020.006.20042 and earlier versions 
Windows & macOS
       
Acrobat 2017 Classic 2017 2017.011.30166  and earlier versions  Windows & macOS
Acrobat Reader 2017 Classic 2017 2017.011.30166 and earlier versions Windows & macOS
       
Acrobat 2015  Classic 2015 2015.006.30518 and earlier versions Windows & macOS
Acrobat Reader 2015 Classic 2015 2015.006.30518 and earlier versions Windows & macOS

Solution

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

  • Users can update their product installations manually by choosing Help > Check for Updates.     

  • The products will update automatically, without requiring user intervention, when updates are detected.      

  • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     

For IT administrators (managed environments):     

  • Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.     

  • Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     

   

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

Product Track Updated Versions Platform Priority Rating Availability
Acrobat DC Continuous 2020.009.20063 Windows and macOS 2

Windows    

macOS  

Acrobat Reader DC Continuous 2020.009.20063
Windows and macOS 2

Windows


macOS

           
Acrobat 2017 Classic 2017 2017.011.30171 Windows and macOS 2

Windows

macOS

Acrobat Reader 2017 Classic 2017 2017.011.30171 Windows and macOS 2

Windows

macOS

           
Acrobat 2015 Classic 2015 2015.006.30523 Windows and macOS 2

Windows

macOS

Acrobat Reader 2015 Classic 2015 2015.006.30523 Windows and macOS 2

Windows

macOS

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Number
Null Pointer Application denial-of-service Important   

CVE-2020-9610

Heap Overflow Arbitrary Code Execution          Critical  CVE-2020-9612
Race Condition Security feature bypass Critical  CVE-2020-9615
Out-of-bounds write Arbitrary Code Execution          Critical 

CVE-2020-9597

CVE-2020-9594

Security bypass Security feature bypass Critical 

CVE-2020-9614

CVE-2020-9613

CVE-2020-9596

CVE-2020-9592

Stack exhaustion Application denial-of-service Important  CVE-2020-9611
Out-of-bounds read Information disclosure Important 

CVE-2020-9609

CVE-2020-9608

CVE-2020-9603

CVE-2020-9602

CVE-2020-9601

CVE-2020-9600

CVE-2020-9599

Buffer error Arbitrary Code Execution          Critical 

CVE-2020-9605

CVE-2020-9604

Use-after-free    Arbitrary Code Execution          Critical 

CVE-2020-9607

CVE-2020-9606

Invalid memory access Information disclosure Important 

CVE-2020-9598

CVE-2020-9595

CVE-2020-9593

Acknowledgements

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:    

  • Anonymous working with Trend Micro Zero Day Initiative (CVE-2020-9597)
  • Aleksandar Nikolic of Cisco Talos. (CVE-2020-9609, CVE-2020-9607)
  • Fluoroacetate (CVE-2020-9606)
  • L4N working with Trend Micro Zero Day Initiative (CVE-2020-9612)
  • Liubenjin from Codesafe Team of Legendsec at Qi’anxin Group (CVE-2020-9608)
  • mipu94 working with iDefense Labs (CVE-2020-9594)
  • Christian Mainka, Vladislav Mladenov, Simon Rohlmann, Jörg Schwenk; Ruhr University Bochum, Chair for network and data security (CVE-2020-9592 & CVE-2020-9596)
  • Xinyu Wan, Yiwei Zhang and Wei You from Renmin University of China (CVE-2020-9611, CVE-2020-9610, CVE-2020-9605, CVE-2020-9604, CVE-2020-9603, CVE-2020-9598, CVE-2020-9595, CVE-2020-9593)
  • Yuebin Sun(@yuebinsun) of Tencent Security Xuanwu Lab (CVE-2020-9615, CVE-2020-9614, CVE-2020-9613)
  • Zhiyuan Wang and willJ from cdsrc of Qihoo 360 (CVE-2020-9602, CVE-2020-9601, CVE-2020-9600, CVE-2020-9599)