CVE-2019-8196: Adobe Security Bulletin

Security updates available for Adobe Acrobat and Reader | APSB19-49

Bulletin ID

Date Published

Priority

APSB19-49

October 15, 2019

2

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and  important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.

Adobe recommends users update their software installations to the latest versions by following the instructions below.

The latest product versions are available to end users via one of the following methods:

• Users can update their product installations manually by choosing Help > Check for Updates.

• The products will update automatically, without requiring user intervention, when updates are detected.

• The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.

For IT administrators (managed environments):

• Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.

• Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Vulnerability Category

Vulnerability Impact

Severity

CVE Number

Out-of-Bounds Read

Information Disclosure

Important

CVE-2019-8164

CVE-2019-8168

CVE-2019-8172

CVE-2019-8173

CVE-2019-8064

CVE-2019-8182

CVE-2019-8184

CVE-2019-8185

CVE-2019-8189

CVE-2019-8163

CVE-2019-8190

CVE-2019-8193

CVE-2019-8194

CVE-2019-8198

CVE-2019-8201

CVE-2019-8202

CVE-2019-8204

CVE-2019-8207

CVE-2019-8216

CVE-2019-8218

CVE-2019-8222

Out-of-Bounds Write

Arbitrary Code Execution

Critical

CVE-2019-8171

CVE-2019-8186

CVE-2019-8165

CVE-2019-8191

CVE-2019-8199

CVE-2019-8206

Use After Free

Arbitrary Code Execution

Critical

CVE-2019-8175

CVE-2019-8176

CVE-2019-8177

CVE-2019-8178

CVE-2019-8179

CVE-2019-8180

CVE-2019-8181

CVE-2019-8187

CVE-2019-8188

CVE-2019-8192

CVE-2019-8203

CVE-2019-8208

CVE-2019-8209

CVE-2019-8210

CVE-2019-8211

CVE-2019-8212

CVE-2019-8213

CVE-2019-8214

CVE-2019-8215

CVE-2019-8217

CVE-2019-8219

CVE-2019-8220

CVE-2019-8221

CVE-2019-8223

CVE-2019-8224

CVE-2019-8225

Heap Overflow

Arbitrary Code Execution

Critical

CVE-2019-8170

CVE-2019-8183

CVE-2019-8197

Buffer Overrun

Arbitrary Code Execution

Critical

CVE-2019-8166

Cross-site Scripting

Information Disclosure

Important

CVE-2019-8160

Race Condition

Arbitrary Code Execution

Critical

CVE-2019-8162

Incomplete Implementation of Security Mechanism

Information Disclosure

Important

CVE-2019-8226

Type Confusion

Arbitrary Code Execution

Critical

CVE-2019-8161

CVE-2019-8167

CVE-2019-8169

CVE-2019-8200

Untrusted Pointer Dereference

Arbitrary Code Execution

Critical

CVE-2019-8174

CVE-2019-8195

CVE-2019-8196

CVE-2019-8205

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

• Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-8203, CVE-2019-8208, CVE-2019-8210, CVE-2019-8217, CVE-2019-8219, CVE-2019-8225)
• Haikuo Xie of Baidu Security Lab working with Trend Micro Zero Day Initiative (CVE-2019-8209, CVE-2019-8223)
• hungtt28 of Viettel Cyber Security working with Trend Micro Zero Day Initiative (CVE-2019-8204)
• Juan Pablo Lopez Yacubian working with Trend Micro Zero Day Initiative (CVE-2019-8172)
• Ke Liu of Tencent Security Xuanwu Lab (CVE-2019-8199, CVE-2019-8200, CVE-2019-8201, CVE-2019-8202)
• L4Nce working with Trend Micro Zero Day Initiative (CVE-2019-8064)
• Mat Powell of Trend Micro Zero Day Initiative (CVE-2019-8166, CVE-2019-8175, CVE-2019-8178, CVE-2019-8179, CVE-2019-8180, CVE-2019-8181, CVE-2019-8187, CVE-2019-8188, CVE-2019-8189, CVE-2019-8163, CVE-2019-8190, CVE-2019-8165, CVE-2019-8191)
• Mateusz Jurczyk of Google Project Zero (CVE-2019-8195, CVE-2019-8196, CVE-2019-8197)
• peternguyen working with Trend Micro Zero Day Initiative (CVE-2019-8176, CVE-2019-8224)
• Steven Seeley (mr_me) of Source Incite working with Trend Micro Zero Day Initiative (CVE-2019-8170, CVE-2019-8171, CVE-2019-8173, CVE-2019-8174)
• Heige of Knownsec 404 Security Team (http://www.knownsec.com/) (CVE-2019-8160)
• Xizsmin and Lee JinYoung of Codemize Security Research Lab (CVE-2019-8218)
• Mipu94 of SEFCOM Lab, Arizona State University (CVE-2019-8211, CVE-2019-8212, CVE-2019-8213, CVE-2019-8214, CVE-2019-8215)
• Esteban Ruiz (mr_me) of Source Incite (CVE-2019-8161, CVE-2019-8164, CVE-2019-8167, CVE-2019-8168, CVE-2019-8169, CVE-2019-8182)
• Ta Dinh Sung of STAR Labs (CVE-2019-8220, CVE-2019-8221)
• Behzad Najjarpour Jabbari, Secunia Research at Flexera (CVE-2019-8222)
• Aleksandar Nikolic of Cisco Talos. (CVE-2019-8183)
• Nguyen Hong Quang (https://twitter.com/quangnh89) of Viettel Cyber Security (CVE-2019-8193)
• Zhiyuan Wang and willJ from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. (CVE-2019-8185, CVE-2019-8186)
• Yangkang(@dnpushme) & Li Qi(@leeqwind) & Yang Jianxiong(@sinkland_) of Qihoo360 CoreSecurity(@360CoreSec) (CVE-2019-8194)
• Lee JinYoung of Codemize Security Research Lab (http://codemize.co.kr) (CVE-2019-8216)
• Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-8205)
• Zhibin Zhang of Palo Alto Networks (CVE-2019-8206)
• Andrew Hart (CVE-2019-8226)
• peternguyen (meepwn ctf) working with Trend Micro Zero Day Initiative (CVE-2019-8192, CVE-2019-8177)
• Haikuo Xie of Baidu Security Lab (CVE-2019-8184)
• Zhiniang Peng of Qihoo 360 Core security & Jiadong Lu of South China University of Technology (CVE-2019-8162)

November 11, 2019: Added acknowledgement for CVE-2019-8195 & CVE-2019-8196.