CVE-2019-7089 is a critical zero-day vulnerability in Adobe Reader which was patched this month alongside other 42 critical flaws. The vulnerability is a sensitive data leak issue which can lead to information disclosure in case of successful exploit. It turns out that the researcher who discovered the bug, managed to bypass the first patch, and Adobe had to release a second fix.
CVE-2019-7089 Patch Was Bypassed, Adobe Releases Another One
CVE-2019-7089 was identified by security researcher Alex Inführ from Cure53. Shortly said, it allows a specially crafted PDF document to send SMB requests to the hacker’s server when the file is opened. The flaw enables remote hackers to steal a user’s NTLM hash which is included in the SMB request. Furthermore, the vulnerability can help alert threat actors when the malicious PDF documented is opened. Unfortunately, the original fix didn’t work as intended, as the researcher was able to bypass it.
As a result of this, Adobe had to release a new fix quickly to avoid exploitation. The fix is now a fact, and it has been assigned a new CVE identifier, CVE-2019-7815.\
CVE-2019-7089 Similar to Older CVE-2018-4993 Vulnerability
As a matter of fact, Inführ announced his findings to the public at least two weeks before Adobe released the first, problematic patch. An unofficial patch was also introduced by 0patch a day before the official patch. Not only this but CVE-2019-7089 is the second vulnerability Adobe fixes that was similar to CVE-2018-4993:
Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an NTLM SSO hash theft vulnerability. Successful exploitation could lead to information disclosure.
Fortunately, despite all events Adobe says there are no records of actual attacks based on the vulnerability in the wild. Needless to say, users should update with the latest security release to mitigate the risk of attacks.