一、情况分析
Adobe近日公布在Windows和macOS版本的Acrobat DC、Acrobat Reader DC、Acrobat 2020、Acrobat Reader 2020、Acrobat 2017和Acrobat Reader 2017中修复了14个安全漏洞。其中三个漏洞被评为严重级别,它们是由释放后使用、基于堆的缓冲区溢出和越界写入错误引起的。
14个安全漏洞详细信息如下:
Vulnerability Category | Vulnerability Impact | Severity | CVE Number |
Heap-based buffer overflow | Arbitrary Code Execution | Critical | CVE-2020-24435 |
Improper access control | Local privilege escalation | Important | CVE-2020-24433 |
Improper input validation | Arbitrary JavaScript Execution | Important | CVE-2020-24432 |
Signature validation bypass | Minimal (defense-in-depth fix) | Moderate | CVE-2020-24439 |
Signature verification bypass | Local privilege escalation | Important | CVE-2020-24429 |
Improper input validation | Information Disclosure | Important | CVE-2020-24427 |
Security feature bypass | Dynamic library injection | Important | CVE-2020-24431 |
Out-of-bounds write | Arbitrary Code Execution | Critical | CVE-2020-24436 |
Out-of-bounds read | Information Disclosure | Moderate | CVE-2020-24426 CVE-2020-24434 |
Race Condition | Local privilege escalation | Important | CVE-2020-24428 |
Use-after-free | Arbitrary Code Execution | Critical | CVE-2020-24430 CVE-2020-24437 |
Use-after-free | Information Disclosure | Moderate | CVE-2020-24438 |
产品 | 版本 | 系统 |
Acrobat DC | Windows & macOS | |
Acrobat Reader DC | 2020.012.20048 及之前 | Windows & macOS |
Acrobat 2020 | 2020.001.30005及之前 | Windows & macOS |
Acrobat Reader 2020 | 2020.001.30005及之前 | Windows & macOS |
Acrobat 2017 | 2017.011.30175及之前 | Windows & macOS |
Acrobat Reader 2017 | 2017.011.30175及之前 | Windows & macOS |
三、处置建议
目前厂商已发布升级补丁以修复漏洞。
1、用户可以通过产品界面帮助,点击自动获取更新;
2、可以通过如下地址下载最新版本产品:
https://get2.adobe.com/cn/reader/