Adobe’s scheduled patch Tuesday updates for February brought fixes for a range of security vulnerabilities in Adobe Reader. While most of the flaws were fixed, one of these vulnerabilities couldn’t be patched. A researcher reported a bypass for the fix addressing a critical Adobe Reader vulnerability that resulted in data leakage.
Critical Data Leakage Adobe Reader Vulnerability
Adobe patched a critical zero-day flaw alongside 42 other security flaws in Adobe Reader. That zero day Adobe Reader vulnerability could result in information disclosure upon exploit.
Adobe described that vulnerability as a sensitive data leakage flaw. Although Adobe released a fix for it, a researcher Alex Infuhr of Cure53 noted faults in the fix. He first pointed this out in his tweet.
No it does not seem to properly patched as I discovered a bypass. Going to report the bypass to Adobe
— alex (@insertScript) February 13, 2019
Infuhr informed Adobe of the flaw accordingly. According to his findings, an attacker could easily bypass the fix. He has now shared a short PoC of it in his tweet.
As Adobe has patched my bypass- here is the short PoC: Instead of specifying \<attackerDomain>sharex, I used \;LanmanRedirector<attackerDomain>share -> Explanation by james forshaw: https://t.co/BV1gD5gnCq
— alex (@insertScript) February 22, 2019
Adobe Rolled-Out Another Patch
After Infuhr’s report, Adobe worked out to release another fix addressing the flaw. Describing it in their advisory, Adobe stated,
“These updates address a reported bypass to the fix for CVE-2019-7089… Successful exploitation could lead to sensitive information disclosure in the context of the current user.”
Since this vulnerability affects the fix for a previous flaw, it allegedly affects all versions of Adobe Reader including the ones bearing the fix. Adobe has now assigned the CVE ID CVE-2019-7815 that holds critical severity level.
Fortunately, Adobe has rolled-out the fix for CVE-2019-7815 in the recent software versions for Windows and MacOS. Hence, the users may upgrade their systems with Acrobat DC and Acrobat Reader DC (continuous track) version 2019.010.20098, Acrobat 2017 and Acrobat Reader DC 2017 version 2017.011.30127, and Acrobat DC and Acrobat Reader DC (Classic 2015) version 2015.006.30482 accordingly. Though, Adobe confirms that the updates will automatically download and install without requiring user intervention.