Critical security flaws in Adobe Acrobat Reader and Adobe Acrobat allow takeover of a victim’s Mac with all-powerful “root” priviliges. Adobe issued patches for this and also for security flaws in Adobe’s DNG SDK software. See MacInTouch discussions for important details about prerequisites for Adobe’s patches.
Security Flaws in Adobe Acrobat Reader Allow Malicious Program to Gain Root on macOS Silently
Today, Adobe Acrobat Reader DC for macOS patched three critical vulnerabilities (CVE-2020-9615, CVE-2020-9614, CVE-2020-9613) I reported. The only requirement needed to trigger the vulnerabilities is that Adobe Acrobat Reader DC has been installed. A normal user on macOS (with SIP enabled) can locally exploit this vulnerabilities chain to elevate privilege to the ROOT without a user being aware. In this blog, I will analyze the details of vulnerabilities and show how to exploit them.
Adobe Acrobat and Reader | APSB20-24
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution…
Adobe DNG SDK | APSB20-26
Adobe has released an update for the Adobe DNG Software Development Kit (SDK) for Windows and macOS. This update resolves multiple Heap Overflow and Out-of-Bounds Read vulnerabilities that could lead to Remote Code Execution and Information Disclosure respectively.