On Tuesday 12th May, Adobe released critical updates for Adobe Acrobat Reader DC and Adobe Acrobat DC. These patch a vulnerability that allows an attacker to gain arbitrary code execution, with some reports claiming this to be as root.
Adobe list the following as affected versions for both macOS and Windows:
|Acrobat DC (Continuous)||2020.006.20042 and earlier versions|
|Acrobat Reader DC (Continuous)||2020.006.20042 and earlier versions|
|Acrobat 2017 (Classic 2017)||2017.011.30166 and earlier versions|
|Acrobat Reader 2017 (Classic 2017)||2017.011.30166 and earlier versions|
|Acrobat 2015 (Classic 2015)||2015.006.30518 and earlier versions|
|Acrobat Reader 2015 (Classic 2015)||2015.006.30518 and earlier versions|
Patching Affected Versions
To patch Acrobat Reader DC, I’d strongly suggest using the AutoPKG recipe to package this up. You can find the recipes for this here.
To patch Acrobat DC, you’ll need to either:
- Use Remote Update Manager (RUM) to install the update; or
- Create an updated package from the Adobe Admin console.
Surprisingly, there is an issue with the Adobe Admin Console when it comes to Acrobat DC…well two issues:
1) The latest version listed for Acrobat DC is currently always v20.0, despite the version being 20.00X.XXXXX
2) Any existing packages created in the Admin console for Acrobat DC will show as “Up to date”, even if they’re not!
In this scenario, I’d suggest re-creating your package for Acrobat DC just in case to ensure you have a package for a patched version.
Note: These two issues have been logged with Adobe as of today (14th May 2020) so hopefully should be resolved at some point!
For more information, check out the following links:
- Adobe Security Bulletin – https://helpx.adobe.com/security/products/acrobat/apsb20-24.html
- Security Flaws in Adobe Acrobat Reader Allow Malicious Program to Gain Root on macOS Silently – https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/