Skip Ribbon Commands
Skip to main content
Computer Emergency Response Team of Mauritius (CERT-MU)

VN-2019-01


Adobe Reader DC JavaScript Read-Only Variables Arbitrary Overwrite Restrictions Bypass Vulnerability
Severity Rating: High
Systems Affected:
Product
Track
Affected Versions
Platform
Acrobat DC 
Continuous 
2019.010.20064 and earlier versions 
Windows and macOS
Acrobat Reader DC
Continuous
2019.010.20064 and earlier versions
Windows and macOS
Acrobat 2017
Classic 2017
2017.011.30110 and earlier version
Windows and macOS
Acrobat Reader 2017
Classic 2017
2017.011.30110 and earlier version
Windows and macOS
Acrobat DC 
Classic 2015
2015.006.30461 and earlier versions 
Windows and macOS
Acrobat Reader DC 
Classic 2015
2015.006.30461 and earlier versions 
Windows and macOS
 
Description
This vulnerability allows remote attackers to bypass API restrictions on vulnerable installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of read-only properties and objects. By creating a specially crafted PDF with specific JavaScript instructions, it is possible to bypass the Javascript API restrictions. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of current process.
Solution
Users are advised to apply updates.
More information is available on:
Vendor Information
Adobe
CVE Information
 
References
Adobe Security Bulletin
Zero Day Initiative
Contact Information
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis