CVE-2020-9721
📋 TL;DR
This CVE describes an out-of-bounds read vulnerability in Adobe Acrobat and Reader that could allow attackers to read memory contents they shouldn't access. Successful exploitation could lead to information disclosure, potentially exposing sensitive data. Users of affected Adobe Acrobat and Reader versions are vulnerable.
💻 Affected Systems
- Adobe Acrobat DC
- Adobe Acrobat Reader DC
- Adobe Acrobat 2017
- Adobe Acrobat Reader 2017
- Adobe Acrobat 2015
- Adobe Acrobat Reader 2015
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive memory contents, potentially exposing passwords, encryption keys, or other confidential data stored in memory during PDF processing.
Likely Case
Information disclosure where attackers can read limited memory contents, potentially revealing some system information or partial document data.
If Mitigated
With proper controls like memory protection mechanisms and sandboxing, impact is limited to minimal information disclosure without system compromise.
🎯 Exploit Status
Exploitation requires user interaction (opening a malicious PDF file). No public proof-of-concept has been released as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acrobat DC/Reader DC: 2020.009.20075 or later; Acrobat 2017/Reader 2017: 2017.011.30172 or later; Acrobat 2015/Reader 2015: 2015.006.30524 or later
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb20-48.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat or Reader. 2. Go to Help > Check for Updates. 3. Follow the prompts to download and install available updates. 4. Restart the application when prompted.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allDisabling JavaScript can prevent exploitation through malicious PDFs that use JavaScript to trigger the vulnerability
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allEnable Protected View for files from potentially untrusted sources
Edit > Preferences > Security (Enhanced) > Enable Protected View at startup
🧯 If You Can't Patch
- Restrict PDF file opening to trusted sources only
- Implement application whitelisting to prevent unauthorized Adobe Reader execution
🔍 How to Verify
Check if Vulnerable:
Check Adobe Acrobat/Reader version via Help > About Adobe Acrobat/Reader and compare with affected versionsCheck Version:
On Windows: wmic product where name like "Adobe Acrobat%" get version; On macOS: /Applications/Adobe\ Acrobat\ Reader\ DC.app/Contents/Info.plist | grep -A1 CFBundleShortVersionStringVerify Fix Applied:
Verify version is updated to patched versions: 2020.009.20075+, 2020.001.30003+, 2017.011.30172+, or 2015.006.30524+📡 Detection & Monitoring
Log Indicators:
- Application crashes in Adobe Acrobat/Reader logs
- Unexpected memory access errors in system logs
Network Indicators:
- Downloads of PDF files from untrusted sources
- Unusual PDF file attachments in email traffic
SIEM Query:
source="*acrobat*" AND (event_type="crash" OR error="memory" OR error="access")