Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.

Executive summary

There are two remote code execution vulnerabilities in Adobe Acrobat Reader that could occur if a user were to open a malicious PDF on their machine using the software. Acrobat is the most widely used PDF reader on the market, making the potential target base for these bugs fairly large. The program supports embedded JavaScript code in the PDF to allow for interactive PDF forms, giving the potential attacker the ability to precisely control memory layout and creating an additional attack surface.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Adobe Acrobat Reader DC OCGs state change remote code execution vulnerability (TALOS-2018-0778/CVE-2019-7761)

A specific JavaScript code embedded in a PDF file can lead to a heap corruption when opening a PDF document in Adobe Acrobat Reader DC, version 2019.10.20069. This can lead to arbitrary code execution with careful memory manipulation. The victim would need to open the malicious file or access a malicious web page to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Adobe Acrobat Reader DC OCGs state change remote code execution vulnerability (TALOS-2019-0796/CVE-2019-7831)

A specific JavaScript code embedded in a PDF file can lead to a heap corruption when opening a PDF document in Adobe Acrobat Reader DC 2019.10.20098. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Adobe Acrobat Reader DC, version 2019.010.20069 is affected by TALOS-2019-0778. TALOS-2019-0796 affects version 2019.010.20098.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48293, 48294, 49189, 49190, 49684, 49685