CVE-2019-16444
📋 TL;DR
This CVE describes a binary planting vulnerability in Adobe Acrobat and Reader that allows privilege escalation. Attackers can exploit default folder permissions to execute malicious code with elevated privileges. Users running vulnerable versions of Adobe Acrobat or Reader are affected.
💻 Affected Systems
- Adobe Acrobat DC
- Adobe Acrobat Reader DC
- Adobe Acrobat 2017
- Adobe Acrobat Reader 2017
- Adobe Acrobat 2015
- Adobe Acrobat Reader 2015
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, allowing installation of persistent malware, data theft, and complete control of the affected system.
Likely Case
Local privilege escalation enabling attackers to bypass security controls, install additional malware, or access restricted system resources.
If Mitigated
Limited impact with proper user account controls and application sandboxing in place, potentially preventing successful exploitation.
🎯 Exploit Status
Exploitation requires local access to place malicious binaries in default folders that Adobe applications use with elevated privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acrobat DC: 2019.021.20057; Acrobat 2017: 2017.011.30156; Acrobat 2015: 2015.006.30506
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb19-55.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat or Reader. 2. Navigate to Help > Check for Updates. 3. Follow prompts to download and install the latest version. 4. Restart the application when prompted.
🔧 Temporary Workarounds
Restrict write permissions to Adobe default folders
allRemove write permissions for standard users to Adobe's default installation and working directories
Windows: icacls "C:\Program Files\Adobe\" /deny Users:(OI)(CI)W
macOS: chmod -R a-w /Applications/Adobe\ Acrobat*
Run Adobe applications with standard user privileges
windowsConfigure Adobe applications to run without administrative privileges
Windows: Right-click Adobe shortcut > Properties > Compatibility > Run this program as an administrator (uncheck)
🧯 If You Can't Patch
- Disable Adobe Acrobat/Reader and use alternative PDF viewers
- Implement application whitelisting to prevent execution of unauthorized binaries
🔍 How to Verify
Check if Vulnerable:
Check Adobe version in Help > About Adobe Acrobat/Reader and compare with affected versions listCheck Version:
Windows: wmic product where "name like 'Adobe%Acrobat%'" get version; macOS: /usr/bin/mdls -name kMDItemVersion /Applications/Adobe\ Acrobat*.appVerify Fix Applied:
Verify version is 2019.021.20057 or later for DC, 2017.011.30156 or later for 2017, or 2015.006.30506 or later for 2015📡 Detection & Monitoring
Log Indicators:
- Unexpected process execution from Adobe directories
- Failed privilege escalation attempts in security logs
- Binary execution from non-standard locations by Adobe processes
Network Indicators:
- Unusual outbound connections from Adobe processes
- DNS requests for known malicious domains from Adobe context
SIEM Query:
EventID=4688 AND ProcessName LIKE '%acrobat%' AND ParentProcessName NOT LIKE '%acrobat%'