Adobe on Thursday released a second patch to address a critical information disclosure vulnerability in Adobe reader, tracked as CVE 2019-7089, after the expert who initially discovered the flaw devised a method to bypass the first fix.
The vulnerability was discovered by Alex Inführ from Cure53, the expert discovered that the flaw could be exploited by using a specially crafted PDF document to send SMB requests to the attacker’s server when the file is opened.
The expert explained that the flaw is similar to the
CVE-2018-4993 (aka “BadPDF“) that fixed by Adobe in November. The flaw allowed to trigger a callback to an attacker-controlled SMB server and leak the users NTMLv2 hash.
Inführ tested the PoC on Adobe Acrobat Reader DC 19.010.20069 running on Windows OS.
The February 2019 Patch Tuesday updates addressed the vulnerability, but Infuhr immediately discovered that it could be bypassed.
News of the day is that Adobe released a second patch for the flaw in Adobe Reader and assigned it a new CVE identifier, CVE-2019-7815.
“Adobe has released security updates for Adobe Acrobat and Reader for Windows and
“Successful exploitation could lead to sensitive information disclosure in the context of the current user. ”
The good news is that Adobe it’s not aware of any attack exploiting the flaw in-the-wild. Now Adobe assigned the flaw a priority rating of 2, which suggests that exploitation should not be imminent.