CVE-2020-3749
📋 TL;DR
This CVE describes a use-after-free vulnerability in Adobe Acrobat and Reader that allows attackers to execute arbitrary code on affected systems. Users who open malicious PDF files with vulnerable versions are at risk. The vulnerability affects multiple versions across different release tracks.
💻 Affected Systems
- Adobe Acrobat DC
- Adobe Acrobat Reader DC
- Adobe Acrobat 2017
- Adobe Acrobat Reader 2017
- Adobe Acrobat 2015
- Adobe Acrobat Reader 2015
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the victim's computer, potentially leading to data theft, ransomware deployment, or lateral movement within networks.
Likely Case
Malicious PDF files delivered via phishing emails or compromised websites lead to malware installation, credential theft, or surveillance software deployment on individual workstations.
If Mitigated
With proper endpoint protection, application whitelisting, and user training, exploitation attempts are blocked or detected before successful compromise.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious PDF file. The vulnerability is in the core PDF parsing functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2019.021.20062, 2017.011.30157, 2015.006.30509
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb20-05.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat or Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to download and install the latest version. 4. Restart the application when prompted.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allPrevents JavaScript-based exploitation vectors that might leverage this vulnerability
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allOpen PDF files in Protected View mode to limit potential damage
File > Properties > Security > Enable Protected View for all files
🧯 If You Can't Patch
- Block PDF files at email gateways and web proxies
- Implement application whitelisting to prevent unauthorized executables from running
🔍 How to Verify
Check if Vulnerable:
Check Help > About Adobe Acrobat/Reader and compare version numbers to affected rangesCheck Version:
On Windows: wmic product where name like "Adobe Acrobat%" get versionVerify Fix Applied:
Verify version is 2019.021.20062 or later, 2017.011.30157 or later, or 2015.006.30509 or later📡 Detection & Monitoring
Log Indicators:
- Application crashes in Adobe Acrobat/Reader logs
- Unexpected child processes spawned from Acrobat/Reader
Network Indicators:
- Outbound connections from Acrobat/Reader process to unknown IPs
- DNS requests for suspicious domains following PDF opening
SIEM Query:
process_name:"AcroRd32.exe" AND (event_id:1000 OR parent_process_name:"AcroRd32.exe")