Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Unofficial Patch Released for Adobe Reader Zero-Day

One day before Adobe’s monthly security updates, a third-party fix has been released for an Adobe Reader vulnerability revealed several weeks ago.

One day before Adobe’s monthly security updates, a third-party fix has been released for an Adobe Reader vulnerability revealed several weeks ago.

Discovered by security researcher Alex Inführ, who also published proof-of-concept code, the vulnerability allows a PDF document to send SMB requests to an attacker’s server. 

The vulnerability impacts the latest version of Adobe Reader DC, 2019.010.20069, and is likely affecting older versions of the application as well. 

The security flaw is similar to CVE-2018-4993, a vulnerability disclosed in April last year, which could allow a remote attacker to steal NTLM details included in the SMB request. The attack is possible because remote documents and files can be embedded inside PDF files. 

To address the issue, Adobe added a security warning that Reader would show to the user before a request to a remote share was made. The alert allowed users to prevent a potentially malicious document from sending any type of information to the attacker’s server.

What Inführ discovered was that the alert can actually be bypassed if Universal Naming Convention (UNC) paths are employed. These paths denote resources in shared folders and are used to access remote file systems, typically SMB. 

While Adobe has yet to address the vulnerability, 0patch, a community project that aims to address software vulnerabilities by delivering tiny fixes to users worldwide, has already released a micropatch for Reader and delivered it to their users. 

The fix follows on Adobe’s footsteps by adding a warning when a PDF document uses UNC paths to load resources from a remote location. With this micropatch installed, a security alert will be displayed to the user before the document makes any request to a remote server. 

Advertisement. Scroll to continue reading.

Adobe is getting ready to release its monthly set of security updates today, and is expected to address vulnerabilities in both Adobe Acrobat and Reader, but there’s no information currently available on whether this issue will receive an official fix or not. 

UPDATE. Adobe has released an official patch for this vulnerability, which it tracks as CVE-2019-7089.

Related: PDF Files Can Silently Leak NTLM Credentials

Related: Two Critical Flaws Patched in Adobe Acrobat, Reader

Related: Microsoft Incompletely Patches JET Database Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.