How often does a vendor find itself having to patch the same critical flaw twice within a matter of days?
It’s almost unheard of. Nevertheless, that’s exactly what Adobe has had to do: fix CVE 2019-7089, a vulnerability in Reader it thought it had addressed on 12 February as part of Patch Tuesday.
The flaw was originally made public by Cure53 researcher Alex Inführ in January, who discovered how a malicious PDF could be used to trigger an SMB call-back revealing an NTLMv2 hash.
Ironically, he was inspired to look at this PDF mechanism by the very similar ‘BadPDF’ flaw affecting NTLMv2, reported last April and eventually patched by Adobe in November as CVE-2018-4993.
However, a day after this month’s apparent Patch Tuesday fix, Inführ took to Twitter to report that he’d discovered a way that the latest patched version could be bypassed.
On 21 February, Adobe had a second go at fixing the problem, now identified as CVE-2019-7815, through bulletin APSB19-13.
Affecting Acrobat/Reader DC versions 2019.010.20091 and earlier, this brings the software to 2019.010.20098.
With the first flaw, Adobe had to act fast, as Inführ had revealed it in broad outline which raised the risk of an exploit.
The second version was also urgent because anyone looking to exploit the first issue might stumble across it.
Guerrilla patching
A small twist to this saga is that before Adobe issued its original fix for CVE 2019-7089, a company called Acros came up with one of its own “0Patch”, a guerrilla patch issued in advance of an official fix.
All good publicity for the cause of third-party patching but also a hint that some researchers don’t trust Adobe to do the job effectively.
And so ends a mildly embarrassing few days for Adobe.
Vendors occasionally re-issue patches that cause unforeseen problems or, more rarely still, find themselves addressing a new vulnerability created by a fix. Fixing the same or similar flaw twice in the same week (and three times in as many months) feels like new territory.