Adobe has released updates fixing a long list of security vulnerabilities discovered in the Mac and Windows versions of Acrobat and Reader.
In total, the first October update brings 85 CVEs, including 47 rated as ‘critical’ with the remaining 39 classified as ‘important’.
It’s too early to get much detail on the flaws but those rated critical break down as 46 allowing code execution and one allowing privilege escalation. The majority of the flaws rated important involve out-of-bounds read issues leading to information disclosure.
As far as Adobe is aware, none are being actively exploited.
The updates
The update you should download depends on which version you have installed:
- For most Windows or Mac users it’ll be either Acrobat DC (the paid version) or Acrobat Reader DC (free) so look for update version 2019.008.20071.
- For anyone on the classic Acrobat 2017 or Acrobat Reader DC 2017, it’s version 2017.011.30105.
- Those on the even more classic Acrobat DC (2015) or Acrobat Reader DC (2015) it’s version 2015.006.30456.
Anyone who still has the old Acrobat XI or Reader XI on their computer, the last version was 11.0.23 when support for this ended a year ago.
A sign of success?
There was a time when having to patch so many flaws in a small suite of products from one company would have been seen as a failure.
Arguably, these days, it’s a sign of success – researchers are devoting the time to finding vulnerabilities before the bad guys do and Adobe is turning around fixes.
What’s surprising is that despite crediting every one of them (and it’s quite a list), the company doesn’t seem to have a formal bug bounty reward program other than the separate web applications program run via third party company, HackerOne.
If Adobe’s 85 vulnerabilities sounds excessive, have some sympathy for users of the rival Foxit PDF Reader and Foxit PhantomPDF programs. Foxit last week released what appears to be 116 vulnerabilities of their own (confusingly, many of which are not yet labelled with CVEs).
For some reason, the number of flaws being found in Foxit’s programs has surged this year, reaching 183 before this September’s count, compared to 76 for the whole of 2017.
As for Adobe, these updates are unlikely to be the last we hear of the company this month – expect the usual flaws to be patched in Adobe’s legacy Flash plug-in when Microsoft releases its Windows Patch Tuesday on 9 October.
Steve Biro
Honestly, why does anyone still run this software anymore?
Anon
Does anyone actually use Acrobat/Reader anymore? There are so many other better options typically with far fewer vulnerabilities.
John E Dunn
Adobe claims 200 billion PDFs were opened in its products during 2017, so the most likely answer is a lot of people still use Acrobat and Reader.
Mahhn
I get the feeling MS could fix this by removing PDFs from having system access. But what fun would it be with a secure OS. I guess I should call it Job Security….. ba dumpff
Seb King
And utterly breaks print outs from PDF’s as per several forum posts that are appearing over on adobe.com, like this one: [link redacted]
After updating Adobe Reader DC 2019 to this version on our RDS servers, none of my users could print out their files without Reader DC missing chunks of the document off the print out. The same PDFs print fine from Firefox, Foxit and even Edge(!).
Great that they have fixed so many flaws in this release, but they have borked a frequently used part of Reader DC and the fix appears to be roll back to the old version!
Lesley Manuel
There appears to be a bug in the new version released a couple of days ago. Any pdfs that are scanned to a folder will not print as the new version is not recognising it when sending to the printer. It only recognises 96% of the document so prints a blank page.
Prodromos Regalides
I don’t know how many bugs , they corrected. It does not matter. IT developers and journalist tend to get hysterical about “security flaws” , do one update after another. Not only in adobe reader in all ,modern apps. This is getting tiresome and obnoxious, even if all basic functionality worked. How do you release a major update and fail to recognise you screwed up with such basic functionality as underlining and highlighting text? Maybe because yopu have you ears stuck to the nonsense of the specialists they don’t stop throwing up, about “security security! oh oh” What would I do with security if I can’t do basic things? In one such major update which turned the name into “DC” many moons ago they had screwed up with basic scrolling speed. So, please spare me the sensitivities about ZECUTITY!
DEBI
Laughed at your bio. Thanks for making my day. And the article was good too.
John E Dunn
I see being laughed at as essential character-building,,!