Was that November’s Patch Tuesday? Already? Oh, no, it’s just Adobe issuing 14 emergency security fixes
Adobe on Tuesday published updated versions of its Acrobat and Reader software to fix fourteen flaws, four of which have been designated “critical.” These updates should be installed as soon as possible to close off their vulnerabilities.
The security bulletin (APSB20-67) covers Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017, and Acrobat Reader 2017 for macOS and Windows.
It flags fourteen CVEs:
| Vulnerability Category | Vulnerability Impact | Severity | CVE Number |
|---|---|---|---|
| Heap-based buffer overflow |
Arbitrary Code Execution |
Critical |
CVE-2020-24435 |
| Improper access control | Local privilege escalation |
Important |
CVE-2020-24433 |
| Improper input validation | Arbitrary JavaScript Execution |
Important |
CVE-2020-24432 |
| Signature validation bypass |
Minimal (defense-in-depth fix) |
Moderate |
CVE-2020-24439 |
| Signature verification bypass | Local privilege escalation |
Important |
CVE-2020-24429 |
| Improper input validation | Information Disclosure |
Important |
CVE-2020-24427 |
| Security feature bypass | Dynamic library injection |
Important |
CVE-2020-24431 |
| Out-of-bounds write |
Arbitrary Code Execution |
Critical |
CVE-2020-24436 |
| Out-of-bounds read |
Information Disclosure |
Moderate |
CVE-2020-24426 CVE-2020-24434 |
| Race Condition | Local privilege escalation |
Important |
CVE-2020-24428 |
| Use-after-free |
Arbitrary Code Execution |
Critical |
CVE-2020-24430 CVE-2020-24437 |
| Use-after-free |
Information Disclosure |
Moderate |
CVE-2020-24438 |
None of the CVEs identified have yet been named by CERT/CC’s Vulnonym bot, so we have that to look forward to. At the time this article was filed, the most recent CVE bestowed with a name was an IBM App Connect Enterprise Certified Container click hijacking bug (CVE-2020-4785), dubbed “Whacking Mouflon.” (A mouflon, in case you were wondering, is a wild sheep associated with the islands of Corsica and Sardinia.)
Oracle patches severe flaw in WebLogic Server that could be exploited ‘without the need for a username and password’
The four critical flaws, if successfully exploited, could allow “arbitrary code execution in the context of the current user,” Adobe says in its bulletin. That’s definitely not desirable from a security perspective, so anyone using affected Adobe software would do well to update immediately.
The vulnerabilities rated “important” and “moderate” shouldn’t be discounted as matters of concern. They could allow privilege escalation, arbitrary JavaScript execution, and information disclosure, among other unappealing outcomes.
Adobe generally issues patches on “Patch Tuesday,” a date observed by many tech companies that falls on the second Tuesday of every month. The Register asked Adobe why it chose to issue an out-of-band patch on the first Tuesday of the month and a company spokesperson said that happens sometimes but offered no explanation.
“While Adobe strives to release regularly scheduled updates on update/patch Tuesday, occasionally those regularly scheduled security updates are released on non-update/patch Tuesday dates,” the spokesperson said.
“The November 2020 release of Adobe Reader and Acrobat is a standard product release that includes new product features as well as fixes for bugs and security vulnerabilities.” ®
READ MORE HERE