Headline
CVE-2019-16470: Adobe Security Bulletin
Adobe Acrobat Reader versions 2019.021.20056 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Security update available for Adobe Acrobat and Reader | APSB19-55
Bulletin ID
Date Published
Priority
APSB19-55
December 10, 2019
2
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.
Adobe recommends users update their software installations to the latest versions by following the instructions below.
The latest product versions are available to end users via one of the following methods:
Users can update their product installations manually by choosing Help > Check for Updates.
The products will update automatically, without requiring user intervention, when updates are detected.
The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.
For IT administrators (managed environments):
Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.
Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Vulnerability Category
Vulnerability Impact
Severity
CVE Number
Out-of-Bounds Read
Information Disclosure
Important
CVE-2019-16449
CVE-2019-16456
CVE-2019-16457
CVE-2019-16458
CVE-2019-16461
CVE-2019-16465
Out-of-Bounds Write
Arbitrary Code Execution
Critical
CVE-2019-16450
CVE-2019-16454
Use After Free
Arbitrary Code Execution
Critical
CVE-2019-16445
CVE-2019-16448
CVE-2019-16452
CVE-2019-16459
CVE-2019-16464
CVE-2019-16471
Heap Overflow
Arbitrary Code Execution
Critical
CVE-2019-16451
Buffer Error
Arbitrary Code Execution
Critical
CVE-2019-16462
CVE-2019-16470
Untrusted Pointer Dereference
Arbitrary Code Execution
Critical
CVE-2019-16446
CVE-2019-16455
CVE-2019-16460
CVE-2019-16463
Binary Planting (default folder privilege escalation)
Privilege Escalation
Important
CVE-2019-16444
Security Bypass
Arbitrary Code Execution
Critical
CVE-2019-16453
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:
- Mateusz Jurczyk of Google Project Zero & Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-16451)
- Honc (章哲瑜) (CVE-2019-16444)
- Ke Liu of Tencent Security Xuanwu Lab. (CVE-2019-16445, CVE-2019-16449, CVE-2019-16450, CVE-2019-16454, CVE-2019-16471)
- Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University (CVE-2019-16446, CVE-2019-16448)
- Aleksandar Nikolic of Cisco Talos (CVE-2019-16463)
- Technical support team of HTBLA Leonding (CVE-2019-16453)
- Haikuo Xie of Baidu Security Lab (CVE-2019-16461)
- Bit of STAR Labs (CVE-2019-16452)
- Xinyu Wan and Yiwei Zhang from Renmin University of China (CVE-2019-16455, CVE-2019-16460, CVE-2019-16462)
- Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-16456)
- Zhibin Zhang of Palo Alto Networks (CVE-2019-16457)
- Qi Deng, Ken Hsu of Palo Alto Networks (CVE-2019-16458)
- Lexuan Sun, Hao Cai of Palo Alto Networks (CVE-2019-16459)
- Yue Guan, Haozhe Zhang of Palo Alto Networks (CVE-2019-16464)
- Hui Gao of Palo Alto networks (CVE-2019-16465)
- Zhibin Zhang, Yue Guan of Palo Alto Networks (CVE-2019-16465)
- Zhangqing and Zhiyuan Wang from cdsrc of Qihoo 360 (CVE-2019-16470)
March 26, 2020: Added acknowledgement for CVE-2019-16471, CVE-2019-16470
.