It's only Tuesday but if you're a system administrator that allows users to run .PDF readers by either Adobe or Foxit, you're almost certainly having a busy week already.
Adobe released a slew of unscheduled updates to resolve 86 different vulnerabilities in its Acrobat and Reader products late Monday afternoon. The lion's share of the vulnerabilities, 46 in total, were branded critical by the company and could have led to arbitrary code execution. 39 of the bugs could have led to information disclosure, while the lone remaining bug, a security bypass, could have granted privilege escalation.
The vulnerabilities affect three versions of Acrobat - Acrobat DC 2018.011.20063 and earlier versions, the 2017 version of Acrobat, 2017.011.30102 and earlier versions, and the 2015 version of Acrobat, 2015.006.30452 and earlier versions - and three versions of Reader, Reader DC 2018.011.20063 and earlier versions, the 2017 version of Reader, 2017.011.30102 and earlier versions, and the 2015 version of Reader, 2015.006.30452 and earlier versions.
Researchers from Check Point Software Technologies, Tencent Security's Xuanwu Lab, and researchers working with Trend Micro's Zero Day Initiative, among others, were acknowledged for finding the vulnerabilities.
It likely won’t be the last updates both Reader and Acrobat receive this month; the company is slated to push out more updates next week, in its regularly scheduled Patch Tuesday update.
If you're running Foxit's PDF Reader to view and edit PDF documents in lieu of Adobe products, you'll want to update the software soon, too. Researchers with Cisco Talos disclosed Monday, the same day Adobe pushed its updates, that it found 18 vulnerabilities in the company's PDF Reader, including a handful of expoitable use-after-free vulnerabilities.
All of the bugs, in some way, shape, or form, can lead to arbitrary code execution, if abused.
All of the issues are use-after-free vulnerabilities that exist in the the reader's JavaScipt engine, meaning they can be triggered by embedded code if a user were to open a malicious, or rigged PDF, or view it in the web browser. in some instances a malicious site alone can trigger some of the vulnerabilities, Aleksandar Nikolic, the researcher who discovered the bugs, said Monday.
At a passing glance Adobe may seem like a whale among fish when it comes to PDF software but Foxit does count some high profile companies among its customers, including Google, Amazon, JPMorgan Chase & Company, and Bank of America.
Foxit patched Nikolic's issues, along with several other vulnerabilities, last Friday when it released Foxit Reader 9.3 and Foxit PhantomPDF 9.3. The company is urging anyone running older, affected versions on Windows, 188.8.131.5297 and earlier, to update.
Tried and true at this point, PDF readers have remained a popular target for attackers looking to spread malware.
Researchers warned this past summer that Turla, a fairly well known Russian speaking cyberespionage group, was using PDF files in emails to create a backdoor, execute commands, and steal data.