Adobe Security Bulletin
Security updates available for Adobe Acrobat and Reader | APSB19-49
Bulletin ID Date Published Priority
APSB19-49 October 15, 2019 2

Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and  important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.    

Affected Versions

Product Track Affected Versions Platform
Acrobat DC  Continuous 

2019.012.20040 and earlier versions  Windows & macOS
Acrobat Reader DC Continuous  2019.012.20040 and earlier versions  Windows & macOS
       
Acrobat 2017 Classic 2017 2017.011.30148 and earlier versions   Windows & macOS
Acrobat Reader 2017 Classic 2017 2017.011.30148 and earlier versions Windows & macOS
       
Acrobat 2015  Classic 2015 2015.006.30503 and earlier versions  Windows & macOS
Acrobat Reader 2015 Classic 2015 2015.006.30503 and earlier versions Windows & macOS

Solution

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

  • Users can update their product installations manually by choosing Help > Check for Updates.     

  • The products will update automatically, without requiring user intervention, when updates are detected.      

  • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     

For IT administrators (managed environments):     

  • Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.     

  • Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     

   

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

Product Track Updated Versions Platform Priority Rating Availability
Acrobat DC Continuous 2019.021.20047 Windows and macOS 2

Windows    

macOS  

Acrobat Reader DC Continuous 2019.021.20047
Windows and macOS 2

Windows


macOS

           
Acrobat 2017 Classic 2017 2017.011.30150 Windows and macOS 2

Windows

macOS

Acrobat Reader 2017 Classic 2017 2017.011.30150 Windows and macOS 2

Windows

macOS

           
Acrobat 2015 Classic 2015 2015.006.30504 Windows and macOS 2

Windows

macOS

Acrobat Reader 2015 Classic 2015 2015.006.30504 Windows and macOS 2

Windows

macOS

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Number
Out-of-Bounds Read   Information Disclosure   Important   

CVE-2019-8164

CVE-2019-8168

CVE-2019-8172

CVE-2019-8173

CVE-2019-8064

CVE-2019-8182

CVE-2019-8184

CVE-2019-8185

CVE-2019-8189

CVE-2019-8163

CVE-2019-8190

CVE-2019-8193

CVE-2019-8194

CVE-2019-8198

CVE-2019-8201

CVE-2019-8202

CVE-2019-8204

CVE-2019-8207

CVE-2019-8216

CVE-2019-8218

CVE-2019-8222

Out-of-Bounds Write  Arbitrary Code Execution    Critical

CVE-2019-8171

CVE-2019-8186

CVE-2019-8165

CVE-2019-8191

CVE-2019-8199

CVE-2019-8206

Use After Free    Arbitrary Code Execution      Critical

CVE-2019-8175

CVE-2019-8176

CVE-2019-8177

CVE-2019-8178

CVE-2019-8179

CVE-2019-8180

CVE-2019-8181

CVE-2019-8187

CVE-2019-8188

CVE-2019-8192

CVE-2019-8203

CVE-2019-8208

CVE-2019-8209

CVE-2019-8210

CVE-2019-8211

CVE-2019-8212

CVE-2019-8213

CVE-2019-8214

CVE-2019-8215

CVE-2019-8217

CVE-2019-8219

CVE-2019-8220

CVE-2019-8221

CVE-2019-8223

CVE-2019-8224

CVE-2019-8225

Heap Overflow  Arbitrary Code Execution      Critical

CVE-2019-8170

CVE-2019-8183

CVE-2019-8197

Buffer Overrun Arbitrary Code Execution      Critical CVE-2019-8166
Cross-site Scripting  Information Disclosure Important    CVE-2019-8160
Race Condition Arbitrary Code Execution   Critical CVE-2019-8162
Incomplete Implementation of Security Mechanism Information Disclosure Important  CVE-2019-8226
Type Confusion Arbitrary Code Execution   Critical

CVE-2019-8161

CVE-2019-8167

CVE-2019-8169

CVE-2019-8200

Untrusted Pointer Dereference Arbitrary Code Execution  Critical

CVE-2019-8174

CVE-2019-8195

CVE-2019-8196

CVE-2019-8205

Acknowledgements

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:    

  • Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-8203, CVE-2019-8208, CVE-2019-8210, CVE-2019-8217, CVE-2019-8219, CVE-2019-8225)
  • Haikuo Xie of Baidu Security Lab working with Trend Micro Zero Day Initiative (CVE-2019-8209, CVE-2019-8223) 
  • hungtt28 of Viettel Cyber Security working with Trend Micro Zero Day Initiative (CVE-2019-8204)
  • Juan Pablo Lopez Yacubian working with Trend Micro Zero Day Initiative (CVE-2019-8172) 
  • Ke Liu of Tencent Security Xuanwu Lab (CVE-2019-8199, CVE-2019-8200, CVE-2019-8201, CVE-2019-8202)
  • L4Nce working with Trend Micro Zero Day Initiative (CVE-2019-8064) 
  • Mat Powell of Trend Micro Zero Day Initiative (CVE-2019-8166, CVE-2019-8175, CVE-2019-8178, CVE-2019-8179, CVE-2019-8180, CVE-2019-8181, CVE-2019-8187, CVE-2019-8188, CVE-2019-8189, CVE-2019-8163, CVE-2019-8190, CVE-2019-8165, CVE-2019-8191)
  • Mateusz Jurczyk of Google Project Zero (CVE-2019-8195, CVE-2019-8196, CVE-2019-8197)
  • peternguyen working with Trend Micro Zero Day Initiative (CVE-2019-8176, CVE-2019-8224) 
  • Steven Seeley (mr_me) of Source Incite working with Trend Micro Zero Day Initiative (CVE-2019-8170, CVE-2019-8171, CVE-2019-8173, CVE-2019-8174)
  • Heige of Knownsec 404 Security Team (http://www.knownsec.com/) (CVE-2019-8160) 
  • Xizsmin and Lee JinYoung of Codemize Security Research Lab (CVE-2019-8218)
  • Mipu94 of SEFCOM Lab, Arizona State University (CVE-2019-8211, CVE-2019-8212, CVE-2019-8213, CVE-2019-8214, CVE-2019-8215) 
  • Esteban Ruiz (mr_me) of Source Incite (CVE-2019-8161, CVE-2019-8164, CVE-2019-8167, CVE-2019-8168, CVE-2019-8169, CVE-2019-8182)
  • Ta Dinh Sung of STAR Labs (CVE-2019-8220, CVE-2019-8221) 
  • Behzad Najjarpour Jabbari, Secunia Research at Flexera (CVE-2019-8222)
  • Aleksandar Nikolic of Cisco Talos. (CVE-2019-8183) 
  • Nguyen Hong Quang (https://twitter.com/quangnh89) of Viettel Cyber Security (CVE-2019-8193)
  • Zhiyuan Wang and willJ from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. (CVE-2019-8185, CVE-2019-8186) 
  • Yangkang(@dnpushme) & Li Qi(@leeqwind) & Yang Jianxiong(@sinkland_) of Qihoo360 CoreSecurity(@360CoreSec) (CVE-2019-8194)
  • Lee JinYoung of Codemize Security Research Lab (http://codemize.co.kr) (CVE-2019-8216) 
  • Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-8205)
  • Zhibin Zhang of Palo Alto Networks (CVE-2019-8206) 
  • Andrew Hart (CVE-2019-8226)
  • peternguyen (meepwn ctf) working with Trend Micro Zero Day Initiative (CVE-2019-8192, CVE-2019-8177) 
  • Haikuo Xie of Baidu Security Lab (CVE-2019-8184)
  • Zhiniang Peng of Qihoo 360 Core security & Jiadong Lu of South China University of Technology (CVE-2019-8162)

Revisions

November 11, 2019: Added acknowledgement for CVE-2019-8195 & CVE-2019-8196.