Critical Vulnerabilities in Adobe Acrobat Software
History:
- 12/05/2021 --- v1.0 -- Initial publication
Summary
Adobe has released 12 updates addressing 44 vulnerabilities in Experience Manager, InDesign, Illustrator, InCopy, Adobe Genuine Service, Acrobat and Reader, Magento, Creative Cloud Desktop, Media Encoder, After Effects, Medium, and Animate [1, 4]. The most critical of them -- CVE-2021-28550 -- may allow attackers to remotely execute code [3].
Technical Details
This advisory only describes the most critical vulnerability CVE-2021-28550, because Adobe has received a report that CVE-2021-28550 vulnerability has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.
In addition, Adobe has not provided any technical details about the attacks, but this vulnerability could be exploited by an attacker by tricking victims into opening specially crafted PDF with an affected version of Acrobat Reader [2, 5].
Priority and Severity Rating for CVE-2021-28550
- Priority - 1 (Highest): this update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours) [3].
- Severity - Critical (Highest): a vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware [3].
Affected Products
The following products could be affected by the vulnerability [2]:
Product | Affected Versions | Platform | |
---|---|---|---|
Acrobat DC | 2021.001.20150 and earlier versions | Windows | |
Acrobat Reader DC | 2021.001.20150 and earlier versions | Windows | |
Acrobat DC | 2021.001.20149 and earlier versions | MacOS | |
Acrobat Reader DC | 2021.001.20149 and earlier versions | MacOS | |
Acrobat 2020 | 2020.001.30020 and earlier versions | Windows & macOS | |
Acrobat DC | 2020.001.30020 and earlier versions | Windows & macOS | |
Acrobat 2017 | 2017.011.30194 and earlier versions | Windows & macOS | |
Acrobat DC | 2017.011.30194 and earlier versions | Windows & macOS |
Recommendations
It is recommended to update all affected software to the latest versions.
References
[1] https://helpx.adobe.com/security.html
[2] https://helpx.adobe.com/security/products/acrobat/apsb21-29.html
[3] https://helpx.adobe.com/security/severity-ratings.html
[4] https://www.zerodayinitiative.com/blog/2021/5/11/the-may-2021-security-update-review
[5] https://securityaffairs.co/wordpress/117792/security/windows-zero-day-4.html