has released a security update for Acrobat and Reader for Windows and macOS. It closes a total of 26 vulnerabilities, 11 of which are classified as critical and the rest as important. An attacker could possibly smuggle in and execute malicious code, possibly even without the knowledge of the user.
Acrobat DC and Reader DC 2020.009.20074 and earlier, Acrobat 2020 and Reader 2020 2020.001.30002 and earlier, Acrobat 2017 and Reader 2017 2017.011.30171 and earlier, and Acrobat 2015 and Reader 2015 2015.006.30523 and earlier are affected.
According to a security advisory, two memory errors allow remote code execution. Adobe describes two other critical vulnerabilities as security feature bypass. It also fixes several critical buffer errors and use-after-free bugs that can also be used for remote code execution.
In addition, weak points in the PDF applications can reveal memory contents and thus enable attackers to steal confidential information. The current security updates prevent an unauthorized extension of user rights. They are also designed to protect users from denial-of-service attacks.
The bugs were discovered by researchers working for Trend Micro’s Zero Day Initiative, among others. Employees from Qihoo 360, Offensive Security, Palo Alto Networks, Tencent and several universities in the USA and China also reported vulnerabilities in Reader and Acrobat.
Affected users should now install the available patches for Acrobat and Reader DC, Acrobat and Reader 2020, 2017 and 2015, which are available for Windows and macOS, as soon as possible. The update takes place via the integrated update function or the Adobe website.
Another security update is available for Lightroom Classic 18.104.22.168 and earlier. An error when loading program libraries can lead to an unauthorized extension of user rights. Version 9.3, which is offered for Windows and macOS, has now been corrected for errors – but the error only occurs under Windows.