For the August edition of Patch Tuesday, Adobe Systems today supplied fixes for 26 vulnerabilities — 11 critical — in Acrobat and Reader and one in its image organization and manipulation software Lightroom Classic.
Nine of the 11 critical flaws can result in arbitrary code execution. Two are caused by out-of-bounds write conditions (CVE-2020-9693, CVE-2020-9694), five are identified as five errors (CVE-2020-9698, CVE-2020-9699, CVE-2020-9700, CVE-2020-9701, CVE-2020-9704), and two are use-after-free bugs (CVE-2020-9715, CVE-2020-9722). The final two critical vulnerabilities are a pair of security feature bypass flaws (CVE-2020-9696, CVE-2020-9712).
Adobe also repaired 15 important bugs, with consequences that include memory leak, privilege escalation, application denial of service and information disclosure.
The vulnerabilities were fixed in the newly released version 2020.012.20041 of Acrobat DC and Reader, version 2020.001.30005 of Acrobat 2020 and Acrobat Reader 2020, version 2017.011.30175 Acrobat 2017 and Acrobat Reader 2017, and version 2015.006.30527 of Acrobat 2015 and Acrobat Reader 2015.
Adobe also fixed an important privilege escalation bug in Lightroom Classic for Windows, with the release of version 9.3.
Richard Melick, senior technical product manager at Automox, noted how last month Adobe announced two out-of-band security updates in the weeks following the company's official Patch Tuesday [1, 2]. "Whether this is due to the increased usage, and thus data collection, of their products with more folks [working] remote or an increase in vulnerability research, the uptick in releases shows promise for Adobe’s approach to product security," he said. However, "With a patch released every week from Adobe, it also shows that waiting until Patch Tuesday to research and deploy the updates could be leaving endpoints susceptible to known vulnerabilities.”