==================================================================== CERT-Renater Note d'Information No. 2020/VULN448 _____________________________________________________________________ DATE : 14/08/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Adobe Acrobat, Adobe Reader versions prior to 2020.012.20041, 2020.001.30005, 2017.011.30175, 2015.006.30527. ===================================================================== https://helpx.adobe.com/security/products/acrobat/apsb20-48.html _____________________________________________________________________ Security Updates Available for Adobe Acrobat and Reader | APSB20-48 Bulletin ID Date Published Priority APSB20-48 August 11, 2020 2 Summary Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user. Affected Versions Product Track Affected Versions Platform Acrobat DC Continuous 2020.009.20074 and earlier versions          Windows & macOS Acrobat Reader DC Continuous 2020.009.20074 and earlier versions      Windows & macOS Acrobat 2020 Classic 2020    2020.001.30002 Windows & macOS Acrobat Reader 2020 Classic 2020  2020.001.30002 Windows & macOS Acrobat 2017 Classic 2017 2017.011.30171 and earlier versions         Windows & macOS Acrobat Reader 2017 Classic 2017 2017.011.30171 and earlier versions      Windows & macOS Acrobat 2015 Classic 2015 2015.006.30523 and earlier versions      Windows & macOS Acrobat Reader 2015 Classic 2015 2015.006.30523 and earlier versions     Windows & macOS Solution Adobe recommends users update their software installations to the latest versions by following the instructions below.     The latest product versions are available to end users via one of the following methods:     Users can update their product installations manually by choosing Help > Check for Updates.      The products will update automatically, without requiring user intervention, when updates are detected.      The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.      For IT administrators (managed environments):      Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.      Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.         Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:     Product Track Updated Versions Platform Priority Rating Availability Acrobat DC Continuous 2020.012.20041 Windows and macOS 2 Windows    macOS   Acrobat Reader DC Continuous 2020.012.20041 Windows and macOS 2 Windows macOS Acrobat 2020 Classic 2020     2020.001.30005 Windows and macOS    2 Windows    macOS   Acrobat Reader 2020 Classic 2020    2020.001.30005 Windows and macOS     2 Windows macOS Acrobat 2017 Classic 2017 2017.011.30175 Windows and macOS 2 Windows macOS Acrobat Reader 2017 Classic 2017 2017.011.30175 Windows and macOS 2 Windows macOS Acrobat 2015 Classic 2015 2015.006.30527 Windows and macOS 2 Windows macOS Acrobat Reader 2015 Classic 2015 2015.006.30527 Windows and macOS 2 Windows macOS Vulnerability Details Vulnerability Category Vulnerability Impact Severity CVE Number Disclosure of Sensitive Data Memory Leak Important   CVE-2020-9697 Security bypass Privilege Escalation Important CVE-2020-9714 Out-of-bounds write Arbitrary Code Execution  Critical CVE-2020-9693 CVE-2020-9694 Security bypass Security feature bypass Critical  CVE-2020-9696 CVE-2020-9712 Stack exhaustion Application denial-of-service Important CVE-2020-9702 CVE-2020-9703 Out-of-bounds read Information disclosure Important CVE-2020-9723 CVE-2020-9705 CVE-2020-9706 CVE-2020-9707 CVE-2020-9710 CVE-2020-9716 CVE-2020-9717 CVE-2020-9718 CVE-2020-9719 CVE-2020-9720 CVE-2020-9721 Buffer error Arbitrary Code Execution      Critical  CVE-2020-9698 CVE-2020-9699 CVE-2020-9700 CVE-2020-9701 CVE-2020-9704 Use-after-free   Arbitrary Code Execution    Critical  CVE-2020-9715 CVE-2020-9722 Acknowledgements Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:     Anonymous working with Trend Micro Zero Day Initiative (CVE-2020-9693, CVE-2020-9694) Steven Seeley of Qihoo 360 Vulcan Team (CVE-2020-9723) Abdul-Aziz Hariri of Trend Micro Zero Day Initiative (CVE-2020-9697, CVE-2020-9706, CVE-2020-9707, CVE-2020-9710, CVE-2020-9712) Csaba Fitzl (@theevilbit) from Offensive Security working with iDefense Labs (CVE-2020-9714) Kyle Martin from North Carolina State University, Sung Ta Dinh from Arizona State University, Haehyun Cho from Arizona State University, Ruoyu "Fish" Wang from Arizona State University and Alexandros Kapravelos from North Carolina State University (CVE-2020-9722) Ken Hsu of Palo Alto Networks. (CVE-2020-9695) Zhangqing, Zhiyuan Wang and willJ from cdsrc of Qihoo 360 (CVE-2020-9716, CVE-2020-9717, CVE-2020-9718, CVE-2020-9719, CVE-2020-9720, CVE-2020-9721) Mark Vincent Yason (@MarkYason) working with Trend Micro Zero Day Initiative (CVE-2020-9715) Xinyu Wan, Yiwei Zhang and Wei You from Renmin University of China (CVE-2020-9705, CVE-2020-9711, CVE-2020-9713)   Xu Peng from TCA/SKLCS Institute of Software Chinese Academy of Sciences and Wang Yanhao from QiAnXin Technology Research Institute (CVE-2020-9698, CVE-2020-9699, CVE-2020-9700, CVE-2020-9701, CVE-2020-9702, CVE-2020-9703, CVE-2020-9704) Yuebin Sun(@yuebinsun) of Tencent Security Xuanwu Lab (CVE-2020-9696) ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41          + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================