Adobe Acrobat Reader DC patched three serious vulnerabilities today for macOS. Update as soon as possible, because the flaws let malicious programs get root privileges. Security researcher Yuebin Sin wrote about the flaws, and it doesn’t appear as if any of them as been exploited in the wild.
Open the app and click Help > Check for Update in the menu bar. This will install the security patches.
Acrobat Reader Flaws
Root access means that a program can do virtually anything it wants on macOS, like reading/writing files and databases. The part of Acrobat Reader that runs as root is com.adobe.ARMDC.SMJobBlessHelper within /Library/PrivilegedHelperTools/. This process is responsible for updating the software. It also hosts an XPC service called SMJobBlessHelper(com.adobe.ARMDC.SMJobBlessHelper).
- Vulnerability 1: Bad checking of NSXPC connection client.
- Vulnerability 2: Temp directory root protection can by bypassed.
- Vulnerability 3: ValidateBinary and launchARMHammer has a race condition window.
Further details can be found on the blog post, but essentially these flaws can give an attacker arbitrary code execution. Meaning, an attacker can install programs, view/change/delete data, or create new accounts on your Mac with full user privileges.
So why exactly does a PDF reader need root privileges in the first place?
I’m pretty sure Preview doesn’t need or use root privileges. It seems like a terrible idea for any document viewer (not to mention one that a web browser might open automatically for PDF downloads) to have root privileges.
Edit: apparently it’s Adobe’s software update system, because they don’t want to use Apple’s software update for some reason.
> It runs as root and no-sandbox are applied, and hosts an XPC service named SMJobBlessHelper
Well that’s a terrible idea. Fortunately, as I understand it at least, XPC is a local interface rather than a network-facing one.
Andrew:
Many thanks for the heads up. I downloaded the update first thing this morning.
I had thought, at one point, that I could get by with Preview and PDF Pen, which I use extensively, particularly for contracts.
Sadly, a number of peer-reviewed journals design their COI (conflict of interest) and author validation and disclosure forms only for Adobe Reader (they simply will not load on other pdf clients), and will auto-populate on Adobe. In addition, many academic book publishers will only send and accept comments on galley proofs in Adobe format. The reading experience is actually quite good, and the editing tools quite robust, even their often opaque accessibility. PDFPen remains simply more granular and accessible a tool, in my opinion.
Now, back to reviewing more manuscripts on Adobe Reader.
Hmmm, mine says that the app is up to date. Is there a setting for automatic updates? I didn’t see one in preferences.
What? WHAT? There is a serious security issue in an Adobe product? I can’t imagine such a thing. /s