After discovering that the first correction could be bypassed, the company should launch a second Adobe Reader update patch
According to network security and ethical
hacking experts from the International Institute of Cyber Security, Adobe has just released a second update
patch to fix an Adobe
Reader zero-day vulnerability, this because the first patch did not
succeed to correct the flaw.
The vulnerability, tracked as CVE-2019-7089, is a sensitive
information leaking issue that, in first instance, would have been corrected in
the February Adobe update. This error affects the versions Acrobat DC, Acrobat
Reader DC, acrobat 2017 Classic, and Acrobat Reader DC on computers with Windows
and MacOS systems.
After the release of the first update patch, a network
security expert informed Adobe about the discovery of a method to bypass
the fix, so the bug was still present. “Apparently the vulnerability was not
properly patched. I discovered a way of evasion that I’m going to report to
Adobe”, the investigator posted on his Twitter account.
This vulnerability is similar to that known as
BadPDF, allowing malicious users to exploit the weaknesses of a content
integration feature in Adobe Reader, forcing the software to send requests to a
server under attackers’ control when a PDF file is opened.
This attack technique, dubbed “phone home” by
network security experts, allows hackers to obtain password values with hashes,
as well as alerting them when a file is open on the victim’s computer.
After discovering that the vulnerability was
not corrected properly, a new CVE key was assigned to it (CVE-2019-7815). This second update patch is expected to contemplate
the bypass discovered by the investigator.
According to the company’s security reports, so
far there is no evidence that the vulnerability has been exploited in real
scenarios, although it strongly recommends Adobe users to update their services
as soon as possible to mitigate Any risk of exploitation.
