Adobe closes eleven critical security holes in Reader and Acrobat

Adobe fills a total of 26 holes in its PDF applications. Among other things, they allow malicious code to be smuggled in and executed remotely. A security update is also available for Lightroom Classic.

Adobe has released a security update for Acrobat and Reader for Windows and macOS. It closes a total of 26 vulnerabilities, 11 of which are classified as critical and the rest as important. An attacker could possibly smuggle in and execute malicious code, possibly even without the knowledge of the user.

Adobe Reader: security holes (Image: ZDNet.de)Acrobat DC and Reader DC 2020.009.20074 and earlier, Acrobat 2020 and Reader 2020 2020.001.30002 and earlier, Acrobat 2017 and Reader 2017 2017.011.30171 and earlier, and Acrobat 2015 and Reader 2015 2015.006.30523 and earlier are affected.

According to a security advisory, two memory errors allow remote code execution. Adobe describes two other critical vulnerabilities as security feature bypass. It also fixes several critical buffer errors and use-after-free bugs that can also be used for remote code execution.

In addition, weak points in the PDF applications can reveal memory contents and thus enable attackers to steal confidential information. The current security updates prevent an unauthorized extension of user rights. They are also designed to protect users from denial-of-service attacks.

The bugs were discovered by researchers working for Trend Micro’s Zero Day Initiative, among others. Employees from Qihoo 360, Offensive Security, Palo Alto Networks, Tencent and several universities in the USA and China also reported vulnerabilities in Reader and Acrobat.

Affected users should now install the available patches for Acrobat and Reader DC, Acrobat and Reader 2020, 2017 and 2015, which are available for Windows and macOS, as soon as possible. The update takes place via the integrated update function or the Adobe website.

Another security update is available for Lightroom Classic 9.2.0.10 and earlier. An error when loading program libraries can lead to an unauthorized extension of user rights. Version 9.3, which is offered for Windows and macOS, has now been corrected for errors – but the error only occurs under Windows.


Leave a Reply

Your email address will not be published. Required fields are marked *