CVE-2020-9596
📋 TL;DR
This vulnerability in Adobe Acrobat and Reader allows attackers to bypass security features in affected versions. Successful exploitation could let attackers circumvent protections that normally restrict malicious actions. Users running vulnerable versions of Adobe Acrobat or Reader are affected.
💻 Affected Systems
- Adobe Acrobat DC
- Adobe Acrobat Reader DC
- Adobe Acrobat 2017
- Adobe Acrobat Reader 2017
- Adobe Acrobat 2015
- Adobe Acrobat Reader 2015
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass security controls to execute arbitrary code, install malware, or access restricted system resources through malicious PDF files.
Likely Case
Attackers bypass security features to perform unauthorized actions within the PDF context, potentially leading to data exfiltration or further system compromise.
If Mitigated
With proper controls like application whitelisting and network segmentation, impact is limited to the PDF application sandbox with minimal system-wide effects.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious PDF file. No public proof-of-concept has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.009.20063 for 2020 track, 2017.011.30173 for 2017 track, 2015.006.30524 for 2015 track
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb20-24.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat or Reader. 2. Navigate to Help > Check for Updates. 3. Follow prompts to download and install available updates. 4. Restart the application when prompted.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allDisabling JavaScript can prevent some exploitation vectors that rely on JavaScript execution
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allEnable Protected View for files from potentially unsafe locations
Edit > Preferences > Security (Enhanced) > Enable Protected View for all files from potentially unsafe locations
🧯 If You Can't Patch
- Restrict PDF file handling to trusted sources only
- Implement application whitelisting to prevent unauthorized PDF execution
🔍 How to Verify
Check if Vulnerable:
Check Adobe Acrobat/Reader version via Help > About Adobe Acrobat/Reader and compare against affected versionsCheck Version:
On Windows: wmic product where name like "Adobe Acrobat%" get versionVerify Fix Applied:
Verify version is 2020.009.20063 or later (2020 track), 2017.011.30173 or later (2017 track), or 2015.006.30524 or later (2015 track)📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes of AcroRd32.exe or Acrobat.exe
- Security feature bypass events in application logs
- Multiple failed security validation attempts
Network Indicators:
- Outbound connections from Adobe processes to unknown external IPs
- Unusual PDF file downloads followed by Adobe process execution
SIEM Query:
source="*adobe*" AND (event_type="crash" OR event_type="security_bypass")