Cisco Talos recently discovered two remote code execution vulnerabilities in Adobe Acrobat Reader. Acrobat supports a number of features, including the ability to process embedded JavaScript. These flaws specifically exist in the way the software handles the destruction of annotations from inside event handlers. An attacker could trigger these exploits by tricking a user into opening a malicious file or web page. The adversary could then use that to obtain the ability to execute arbitrary code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Adobe Acrobat Reader DC annotation destroy remote code execution (TALOS-2020-1028/CVE-2020-9607)

A specific JavaScript code embedded in a PDF file can lead to heap corruption when opening a PDF document in Adobe Acrobat Reader DC 2020.006.20034. With careful memory manipulation, this can lead to arbitrary code execution. The victim would need to open the malicious file or access a malicious web page to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Adobe Acrobat Reader DC JavaScript submitForm remote code execution vulnerability (TALOS-2020-1031/CVE-2020-9609)

A specific JavaScript code embedded in a PDF file can lead to out of bounds memory access when opening a PDF document in Adobe Acrobat Reader DC 2020.006.20034. With careful memory manipulation, this can lead to the disclosure of sensitive information, as well as memory corruption, which can lead to arbitrary code execution. The victim would need to open the malicious file or access a malicious web page to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that version 2020.006.20034 of Adobe Acrobat Reader DC is affected by these vulnerabilities.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 53563, 53564, 53485, 53486