Network Security, Vulnerability Management

Adobe eliminates 11 critical bugs in Acrobat, Reader

(Lisa Werner/Contributor)

For the August edition of Patch Tuesday, Adobe Systems today supplied fixes for 26 vulnerabilities — 11 critical — in Acrobat and Reader and one in its image organization and manipulation software Lightroom Classic.

Nine of the 11 critical flaws can result in arbitrary code execution. Two are caused by out-of-bounds write conditions (CVE-2020-9693, CVE-2020-9694), five are identified as five errors (CVE-2020-9698, CVE-2020-9699, CVE-2020-9700, CVE-2020-9701, CVE-2020-9704), and two are use-after-free bugs (CVE-2020-9715, CVE-2020-9722). The final two critical vulnerabilities are a pair of security feature bypass flaws (CVE-2020-9696, CVE-2020-9712).

Adobe also repaired 15 important bugs, with consequences that include memory leak, privilege escalation, application denial of service and information disclosure.

The vulnerabilities were fixed in the newly released version 2020.012.20041 of Acrobat DC and Reader, version 2020.001.30005 of Acrobat 2020 and Acrobat Reader 2020, version 2017.011.30175 Acrobat 2017 and Acrobat Reader 2017, and version 2015.006.30527 of Acrobat 2015 and Acrobat Reader 2015.

Adobe also fixed an important privilege escalation bug in Lightroom Classic   for Windows, with the release of version 9.3.

Richard Melick, senior technical product manager at Automox, noted how last month Adobe announced two out-of-band security updates in the weeks following the company's official Patch Tuesday [1, 2]. "Whether this is due to the increased usage, and thus data collection, of their products with more folks [working] remote or an increase in vulnerability research, the uptick in releases shows promise for Adobe’s approach to product security," he said. However, "With a patch released every week from Adobe, it also shows that waiting until Patch Tuesday to research and deploy the updates could be leaving endpoints susceptible to known vulnerabilities.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.