WTF PDF: If at first you don't succeed, you may be Adobe re-patching its Acrobat, Reader patches
Plus: How Microsoft Edge helps Facebook Flash files dodge click-to-play rules in Edge
Adobe is taking a second crack at patching security bugs in its Acrobat and Reader PDF apps.
The APSB19-13 release, out today, attempts to completely kill off vulnerability CVE-2019-7089, which a software update earlier this month tried to address but was found to have insufficiently covered the security hole. In other words, Adobe's earlier update didn't fully fix the issue, and so now people have to update and patch their Acrobat and Reader installations again.
According to Symantec's Security Focus site, the vulnerability is the result of a boundary condition error in Reader and Acrobat, and can be remotely targeted by attackers. A victim would need to open in Acrobat or Reader a booby-trapped file, sent in an email or downloaded from a website, and hey-presto, information on their computer could end up leaking out into the wrong hands. As a data-disclosure flaw, CVE-2019-7089 is less serious than the usual remote code execution bugs Adobe routinely has to squash in it software.
"Successful exploitation could lead to sensitive information disclosure in the context of the current user, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin," Adobe said of the programming cockup.
Adobe's bungled fix was part of a larger Patch Tuesday batch of updates that, between Adobe and Microsoft, addressed more than 150 CVE-listed vulnerabilities in Flash, Acrobat, Reader, Office, and Windows.
For Acrobat and Reader Continuous edition, the incomplete update was 2019.010.20091. For Acrobat and Reader Classic 2017, the incomplete update was 2017.011.30120, and for Classic 2015, 2015.006.30475.
As the flaw is now well known, there is an elevated risk it could be targeted by attackers, particularly in combination with other vulnerabilities. Having to post a fix for a fix is also not a great look for Adobe.
Users and admins can, hopefully, patch up the vulnerability once and for all by updating to the latest versions of Acrobat and Reader as soon as possible. ®
Speaking of Adobe...
Adobe's Flash Player is also making news this week, thanks to Microsoft. Redmond has confirmed that when users opt to turn off Flash auto-play in Edge, and thus force the plugin to require confirmation to run, Facebook will still be allowed to run its Flash files in the browser without permission. This is seemingly designed to allow Facebook-hosted Flash games to run without requiring the user to click on a button to make them play.
Google Project Zero bod Ivan Fratric uncovered this Flash white-listing, which previously allowed some 58 domains, from Deezer.com to a hairdressing website, to run Adobe Flash content without any click-to-play permission. In the latest Patch Tuesday updates, Microsoft quietly reduced that list to just two Facebook domains, and only if the Flash content is large and obvious, such as a game.
When asked about the decision, a Microsoft spokesperson told us: "We are nearing the point where Flash is no longer part of the default experience in Microsoft Edge on any site and the recent changes in February were the next step of the transition plan."