Critical vulnerabilities fixed in Adobe Reader and Acrobat

Critical vulnerabilities fixed in Adobe Reader and Acrobat

Hello folks,


The lack of Adobe updates in the March Patch Tuesday might have come as a surprise to many of us. However a week from Patch Tuesday, Adobe has released updates to fix 13 vulnerabilities in Adobe Acrobat and Reader for Windows and macOS. 9 of them are rated 'Critical'.

 

Affected versions


These versions are applicable for both Windows and mac platforms

 

  • Acrobat DC Continuous 2020.006.20034 and earlier versions 

  • Acrobat Reader DC Continuous 2020.006.20034 and earlier versions 

  • Acrobat 2017 Classic 2017 2017.011.30158  and earlier versions

  • Acrobat Reader 2017 Classic 2017 2017.011.30158 and earlier versions

  • Acrobat 2015 Classic 2015 2015.006.30510 and earlier versions

  • Acrobat Reader 2015 Classic 2015 2015.006.30510 and earlier versions

 

Vulnerability details


The CVE IDs and other details of the vulnerability are as follows 

CVE ID
Severity
Category 
Impact 

CVE-2020-3804

CVE-2020-3806

Important   
Out-of-bounds read
Information Disclosure  

CVE-2020-3795

Critical 
Out-of-bounds write
Arbitrary Code Execution
  CVE-2020-3799
Critical
Stack-based buffer overflow
Arbitrary Code Execution

CVE-2020-3792

 CVE-2020-3793

 CVE-2020-3801

 CVE-2020-3802

 CVE-2020-3805

Critical
Use-after-free
Arbitrary Code Execution
  CVE-2020-3800
Important 
Memory address leak
Information Disclosure 
  CVE-2020-3807
Critical
Buffer overflow
Arbitrary Code Execution
  CVE-2020-3797
Critical 
Memory corruption
Arbitrary Code Execution
  CVE-2020-3803
Important 
Insecure library loading (DLL hijacking)
Privilege Escalation

Adobe has requested its users to upgrade to the latest versions of Acrobat DC, Acrobat Reader DC, Acrobat 2017, Acrobat Reader 2017, Acrobat 2015, and Acrobat Reader 2015. 

Using Patch Manager Plus, you can install these updates thus,

  • Initiate a sync between the Patch Manager Plus server and the Vulnerability Database

  • Navigate to the missing patches tab and search for the following patch IDs or Bulletin

  •   Patch ID
      Bulletin ID
      313395
      TU-754
      313396
      TU-753
      313397
      TU-135
      313398
      TU-137
      313399
      TU-072
      313400
      TU-073
      313401
      TU-136
  • Install these patches on the systems missing them.


Cheers,
ManageEngine team


                New to ADSelfService Plus?