Tuesday, October 15, 2019

Vulnerability Spotlight: Another fix for Adobe Acrobat Reader DC text field value remote code execution



Aleksandar Nikolic of Cisco Talos discovered this vulnerability.

Cisco Talos once again would like to bring attention to a remote code execution vulnerability in Adobe Acrobat Reader. Acrobat, which is one of the most popular PDF readers on the market, contains a bug when the software incorrectly counts array elements. The same code present in the previously disclosed TALOS-2018-0704 and TALOS-2019-0774 could trigger this vulnerability, allowing the attacker to potentially execute remote code. Adobe previously patched those two vulnerabilities, but the fixes did not cover all possible cases.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Adobe Acrobat Reader DC text field value remote code execution vulnerability redux (TALOS-2019-0860/CVE-2019-8183)

A specific JavaScript code embedded in a PDF file can lead to a heap corruption when opening a PDF document in Adobe Acrobat Reader DC, version 2019.012.20035. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. The vulnerability in this advisory is the same as TALOS-2018-0704 and TALOS-2019-0774, as it wasn't properly patched to cover all cases.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Adobe Acrobat Reader DC, version 2019.012.20035, is affected by this vulnerability.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48293, 48294

No comments:

Post a Comment