CVE-2020-9606
📋 TL;DR
CVE-2020-9606 is a use-after-free vulnerability in Adobe Acrobat and Reader that could allow attackers to execute arbitrary code on affected systems. Users running vulnerable versions of Adobe Acrobat or Reader on any operating system are at risk. Successful exploitation requires a victim to open a malicious PDF file.
💻 Affected Systems
- Adobe Acrobat DC
- Adobe Acrobat Reader DC
- Adobe Acrobat 2017
- Adobe Acrobat Reader 2017
- Adobe Acrobat 2015
- Adobe Acrobat Reader 2015
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the user running Adobe Reader, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Arbitrary code execution within the context of the Adobe Reader process, allowing attackers to steal files, install malware, or pivot to other systems.
If Mitigated
Limited impact due to sandboxing features in modern Adobe Reader versions, potentially containing the exploit to the sandboxed process.
🎯 Exploit Status
Exploitation requires user interaction (opening a malicious PDF). No public exploit code was available at disclosure time, but use-after-free vulnerabilities in document readers are commonly weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acrobat DC/Reader DC: 2020.006.20048 or later; Acrobat 2017/Reader 2017: 2017.011.30170 or later; Acrobat 2015/Reader 2015: 2015.006.30523 or later
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb20-24.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat or Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install available updates. 4. Restart the application when prompted. 5. Verify update by checking Help > About Adobe Acrobat/Reader.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allPrevents JavaScript-based exploitation vectors that might be used in conjunction with this vulnerability
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View for untrusted PDFs
allForces PDFs from untrusted sources to open in Protected View mode
Edit > Preferences > Security (Enhanced) > Check 'Enable Protected View at startup' and 'Enable Enhanced Security'
🧯 If You Can't Patch
- Use alternative PDF viewers for untrusted documents
- Implement application whitelisting to block Adobe Reader execution
🔍 How to Verify
Check if Vulnerable:
Check Adobe Reader version against affected ranges: Help > About Adobe Acrobat/ReaderCheck Version:
On Windows: wmic product where name like "Adobe Acrobat%" get version; On macOS: /Applications/Adobe\ Acrobat\ Reader\ DC.app/Contents/Info.plist | grep -A1 CFBundleShortVersionStringVerify Fix Applied:
Verify version is patched: Help > About Adobe Acrobat/Reader shows version equal to or higher than patched versions📡 Detection & Monitoring
Log Indicators:
- Adobe Reader/Acrobat crash logs with memory access violations
- Unexpected child processes spawned from Adobe Reader
- Unusual file access patterns from Adobe Reader process
Network Indicators:
- Adobe Reader process making unexpected outbound connections
- DNS requests for suspicious domains from Adobe Reader
SIEM Query:
process_name:"AcroRd32.exe" OR process_name:"AdobeReader" AND (event_id:1000 OR event_id:1001) AND exception_code:0xc0000005