==================================================================== CERT-Renater Note d'Information No. 2019/VULN405 _____________________________________________________________________ DATE : 11/12/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Adobe Acrobat, Adobe Reader versions prior to 2019.021.20058, 2017.011.30156, 2015.006.30508. ===================================================================== https://helpx.adobe.com/security/products/acrobat/apsb19-55.html _____________________________________________________________________ Security update available for Adobe Acrobat and Reader | APSB19-55 Bulletin ID Date Published Priority APSB19-55 December 10, 2019 2 Summary Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.     Affected Versions Product Track Affected Versions Platform Acrobat DC Continuous 2019.021.20056 and earlier versions  Windows & macOS Acrobat Reader DC Continuous 2019.021.20056 and earlier versions Windows & macOS Acrobat 2017 Classic 2017 2017.011.30152 and earlier versions  Windows Acrobat 2017 Classic 2017 2017.011.30155 and earlier version macOS Acrobat Reader 2017 Classic 2017 2017.011.30152 and earlier versions Windows & macOS Acrobat 2015 Classic 2015 2015.006.30505 and earlier versions Windows & macOS Acrobat Reader 2015 Classic 2015 2015.006.30505 and earlier versions Windows & macOS Solution Adobe recommends users update their software installations to the latest versions by following the instructions below.     The latest product versions are available to end users via one of the following methods:     Users can update their product installations manually by choosing Help > Check for Updates.      The products will update automatically, without requiring user intervention, when updates are detected.      The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.      For IT administrators (managed environments):      Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.      Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.       Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:      Product Track Updated Versions Platform Priority Rating Availability Acrobat DC Continuous 2019.021.20058 Windows and macOS 2 Windows  macOS   Acrobat Reader DC Continuous 2019.021.20058 Windows and macOS 2 Windows macOS Acrobat 2017 Classic 2017 2017.011.30156 Windows and macOS 2 Windows macOS Acrobat Reader 2017 Classic 2017 2017.011.30156 Windows and macOS 2 Windows macOS Acrobat 2015 Classic 2015 2015.006.30508 Windows and macOS 2 Windows macOS Acrobat Reader 2015 Classic 2015 2015.006.30508 Windows and macOS 2 Windows macOS Vulnerability Details Vulnerability Category Vulnerability Impact Severity CVE Number Out-of-Bounds Read   Information Disclosure   Important    CVE-2019-16449 CVE-2019-16456 CVE-2019-16457 CVE-2019-16458 CVE-2019-16461 CVE-2019-16465 Out-of-Bounds Write  Arbitrary Code Execution    Critical CVE-2019-16450 CVE-2019-16454 Use After Free    Arbitrary Code Execution      Critical CVE-2019-16445 CVE-2019-16448 CVE-2019-16452 CVE-2019-16459 CVE-2019-16464 Heap Overflow  Arbitrary Code Execution      Critical CVE-2019-16451 Buffer Error Arbitrary Code Execution      Critical CVE-2019-16462 Untrusted Pointer Dereference Arbitrary Code Execution  Critical CVE-2019-16446 CVE-2019-16455 CVE-2019-16460 CVE-2019-16463 Binary Planting (default folder privilege escalation) Privilege Escalation Important  CVE-2019-16444 Security Bypass Arbitrary Code Execution Critical CVE-2019-16453 Acknowledgements Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:     Mateusz Jurczyk of Google Project Zero (CVE-2019-16451) Honc (章哲瑜) (CVE-2019-16444) Ke Liu of Tencent Security Xuanwu Lab. (CVE-2019-16445, CVE-2019-16449, CVE-2019-16450, CVE-2019-16454) Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University (CVE-2019-16446, CVE-2019-16448) Aleksandar Nikolic of Cisco Talos (CVE-2019-16463) Technical support team of HTBLA Leonding (CVE-2019-16453) Haikuo Xie of Baidu Security Lab (CVE-2019-16461) Bit of STAR Labs (CVE-2019-16452) Xinyu Wan and Yiwei Zhang from Renmin University of China (CVE-2019-16455, CVE-2019-16460, CVE-2019-16462) Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-16456) Zhibin Zhang of Palo Alto Networks (CVE-2019-16457) Qi Deng, Ken Hsu of Palo Alto Networks (CVE-2019-16458) Lexuan Sun, Hao Cai of Palo Alto Networks (CVE-2019-16459) Yue Guan, Haozhe Zhang of Palo Alto Networks (CVE-2019-16464) Hui Gao of Palo Alto networks (CVE-2019-16465) Zhibin Zhang, Yue Guan of Palo Alto Networks (CVE-2019-16465) ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================