Adobe Security Bulletin
Security updates available for Adobe Acrobat and Reader | APSB19-07
Bulletin ID Date Published Priority
APSB19-07 February 12, 2019 2

Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.    

Affected Versions

Product Track Affected Versions Platform
Acrobat DC  Continuous 
2019.010.20069 and earlier versions 
Windows and macOS
Acrobat Reader DC Continuous
2019.010.20069 and earlier versions Windows and macOS
       
Acrobat 2017 Classic 2017 2017.011.30113 and earlier version Windows and macOS
Acrobat Reader 2017 Classic 2017 2017.011.30113 and earlier version Windows and macOS
       
Acrobat DC  Classic 2015 2015.006.30464 and earlier versions  Windows and macOS
Acrobat Reader DC  Classic 2015 2015.006.30464 and earlier versions  Windows and macOS

Solution

Adobe recommends users update their software installations to the latest versions by following the instructions below.
The latest product versions are available to end users via one of the following methods:

  • Users can update their product installations manually by choosing Help > Check for Updates.
  • The products will update automatically, without requiring user intervention, when updates are detected.
  • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.  

For IT administrators (managed environments):

  • Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.
  • Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product Track Updated Versions Platform Priority Rating Availability
Acrobat DC Continuous 2019.010.20091 Windows and macOS 2 Windows

macOS
Acrobat Reader DC Continuous 2019.010.20091
Windows and macOS 2 Windows

macOS
           
Acrobat 2017 Classic 2017 2017.011.30120 Windows and macOS 2 Windows

macOS
Acrobat Reader DC 2017 Classic 2017 2017.011.30120 Windows and macOS 2 Windows

macOS
           
Acrobat DC Classic 2015 2015.006.30475 Windows and macOS 2 Windows

macOS
Acrobat Reader DC Classic 2015 2015.006.30475 Windows and macOS 2 Windows

macOS

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Number
Buffer Errors Arbitrary Code Execution  Critical 

CVE-2019-7020

CVE-2019-7085

Data leakage (sensitive) Information Disclosure Critical  CVE-2019-7089
Double Free Arbitrary Code Execution  Critical  CVE-2019-7080
Integer Overflow Information Disclosure Critical  CVE-2019-7030
Out-of-Bounds Read Information Disclosure Important

CVE-2019-7021

CVE-2019-7022

CVE-2019-7023

CVE-2019-7024

CVE-2019-7028

CVE-2019-7032

CVE-2019-7033

CVE-2019-7034

CVE-2019-7035

CVE-2019-7036

CVE-2019-7038

CVE-2019-7045

CVE-2019-7047

CVE-2019-7049

CVE-2019-7053

CVE-2019-7055

CVE-2019-7056

CVE-2019-7057

CVE-2019-7058

CVE-2019-7059

CVE-2019-7063

CVE-2019-7064

CVE-2019-7065

CVE-2019-7067

CVE-2019-7071

CVE-2019-7073

CVE-2019-7074 

CVE-2019-7081

Security bypass Privilege Escalation Critical 

CVE-2018-19725

CVE-2019-7041

Out-of-Bounds Write Arbitrary Code Execution  Critical 

CVE-2019-7019

CVE-2019-7027

CVE-2019-7037

CVE-2019-7039

CVE-2019-7052

CVE-2019-7060

CVE-2019-7079

Type Confusion Arbitrary Code Execution   Critical

CVE-2019-7069

CVE-2019-7086

CVE-2019-7087

Untrusted Pointer Dereference Arbitrary Code Execution    Critical

CVE-2019-7042

CVE-2019-7046

CVE-2019-7051

CVE-2019-7054

CVE-2019-7066

CVE-2019-7076

Use After Free  Arbitrary Code Execution   Critical 

CVE-2019-7018

CVE-2019-7025 

CVE-2019-7026

CVE-2019-7029 

CVE-2019-7031

CVE-2019-7040 

CVE-2019-7043

CVE-2019-7044 

CVE-2019-7048

CVE-2019-7050 

CVE-2019-7062

CVE-2019-7068 

CVE-2019-7070

CVE-2019-7072 

CVE-2019-7075

CVE-2019-7077 

CVE-2019-7078

CVE-2019-7082 

CVE-2019-7083

CVE-2019-7084 

Acknowledgements

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

  • Sebastian Apelt  via Trend Micro's Zero Day Initiative (CVE-2019-7044, CVE-2019-7045, CVE-2019-7048) 

  • Abdul-Aziz Hariri via Trend Micro Zero Day Initiative (CVE-2018-19725, CVE-2019-7041) 

  • Linan Hao of Qihoo 360 Vulcan Team and Zhenjie Jia of Qihoo 360 Vulcan Team (CVE-2019-7018, CVE-2019-7019, CVE-2019-7020, CVE-2019-7021, CVE-2019-7022, CVE-2019-7023, CVE-2019-7024, CVE-2019-7029)

  • @j00sean working with iDefense Labs (CVE-2019-7040)

  • 360Security (CVE-2019-7030)

  • Aleksandar Nikolic of Cisco Talos. (CVE-2019-7039)

  • Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-7077)

  • Gal De Leon of Palo Alto Network (CVE-2019-7025) 

  • Juan Pablo Lopez Yacubian working with Trend Micro Zero Day Initiative (CVE-2019-7078)

  • kdot working with Trend Micro's Zero Day Initiative (CVE-2019-7049)

  • Ke Liu of Tencent Security Xuanwu Lab (CVE-2019-7033, CVE-2019-7034, CVE-2019-7035, CVE-2019-7036, CVE-2019-7037, CVE-2019-7038, CVE-2019-7047)

  • Mat Powell of Trend Micro Zero Day Initiative (CVE-2019-7071, CVE-2019-7072, CVE-2019-7073, CVE-2019-7074, CVE-2019-7075)

  • Yoav Alon & Netanel Ben-Simon from Check Point Research (CVE-2019-7080, CVE-2019-7081)

  • Steven Seeley via Trend Micro's Zero Day Initiative (CVE-2019-7069, CVE-2019-7070)

  • T3rmin4t0r working with Trend Micro's Zero Day Initiative (CVE-2019-7042, CVE-2019-7043)

  • Steven Seeley (mr_me) of Source Incite working with iDefense Labs (CVE-2019-7084, CVE-2019-7085, CVE-2019-7086, CVE-2019-7087)

  • Tencent Atuin Team (CVE-2019-7031, CVE-2019-7032)

  • Xu Peng and Su Purui of TCA/SKLCS Institute of Software Chinese Academy of Sciences (CVE-2019-7076)

  • Zhenjie Jia of Qihoo360 Vulcan Team (CVE-2019-7062, CVE-2019-7063, CVE-2019-7064, CVE-2019-7067)

  • Zhiyuan Wang from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. working with Trend Micro Zero Day Initiative (CVE-2019-7079)

  • Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-7065, CVE-2019-7066, CVE-2019-7068)

  • Zhibin Zhang of Palo Alto Networks (CVE-2019-7026, CVE-2019-7027, CVE-2019-7028, CVE-2019-7082)

  • Qi Deng of Palo Alto Networks (CVE-2019-7046, CVE-2019-7050, CVE-2019-7051, CVE-2019-7083)

  • Hui Gao of Palo Alto Networks (CVE-2019-7052, CVE-2019-7053, CVE-2019-7054) 

  • Zhaoyan Xu of Palo Alto Networks (CVE-2019-7055, CVE-2019-7056, CVE-2019-7057)

  • Zhanglin He of Palo Alto Networks (CVE-2019-7058, CVE-2019-7059, CVE-2019-7060)
  • Wei Lei of STARLabs (CVE-2019-7035)

Revisions

April 1, 2019: Reference to CVE-2019-7035 added to Acknowledgments section