After discovering that the first correction could be bypassed, the company should launch a second Adobe Reader update patch
According to network security and ethical hacking experts from the International Institute of Cyber Security, Adobe has just released a second update patch to fix an Adobe Reader zero-day vulnerability, this because the first patch did not succeed to correct the flaw.
The vulnerability, tracked as CVE-2019-7089, is a sensitive information leaking issue that, in first instance, would have been corrected in the February Adobe update. This error affects the versions Acrobat DC, Acrobat Reader DC, acrobat 2017 Classic, and Acrobat Reader DC on computers with Windows and MacOS systems.
After the release of the first update patch, a network security expert informed Adobe about the discovery of a method to bypass the fix, so the bug was still present. “Apparently the vulnerability was not properly patched. I discovered a way of evasion that I’m going to report to Adobe”, the investigator posted on his Twitter account.
This vulnerability is similar to that known as BadPDF, allowing malicious users to exploit the weaknesses of a content integration feature in Adobe Reader, forcing the software to send requests to a server under attackers’ control when a PDF file is opened.
This attack technique, dubbed “phone home” by network security experts, allows hackers to obtain password values with hashes, as well as alerting them when a file is open on the victim’s computer.
After discovering that the vulnerability was not corrected properly, a new CVE key was assigned to it (CVE-2019-7815). This second update patch is expected to contemplate the bypass discovered by the investigator.
According to the company’s security reports, so far there is no evidence that the vulnerability has been exploited in real scenarios, although it strongly recommends Adobe users to update their services as soon as possible to mitigate Any risk of exploitation.