{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-024.pdf"
    },
    "title": "Critical Vulnerabilities in Adobe Acrobat Software",
    "serial_number": "2021-024",
    "publish_date": "12-05-2021 16:03:00",
    "description": "Adobe has released 12 updates addressing 44 vulnerabilities in Experience Manager, InDesign, Illustrator, InCopy, Adobe Genuine Service, Acrobat and Reader, Magento, Creative Cloud Desktop, Media Encoder, After Effects, Medium, and Animate. The  most critical of them - CVE-2021-28550 - may allow attackers to remotely execute code.",
    "url_title": "2021-024",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in\u00a0Adobe\u00a0Acrobat\u00a0Software'\nversion: '1.0'\nnumber: '2021-024'\ndate: 'May 12, 2021'\n---\n\n_History:_\n\n* _12/05/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nAdobe has released 12 updates addressing 44 vulnerabilities in Experience Manager, InDesign, Illustrator, InCopy, Adobe Genuine Service, Acrobat and Reader, Magento, Creative Cloud Desktop, Media Encoder, After Effects, Medium, and Animate [1, 4]. The  most critical of them -- CVE-2021-28550 -- may allow attackers to remotely execute code [3].\n\n# Technical Details\n\nThis advisory only describes the most **critical** vulnerability **CVE-2021-28550**, because Adobe has received a report that CVE-2021-28550 vulnerability **has been exploited** in the wild in limited attacks targeting Adobe Reader users on Windows.\n\nIn addition, Adobe has not provided any technical details about the attacks, but this vulnerability could be exploited by an attacker by tricking victims into opening specially crafted PDF with an affected version of Acrobat Reader [2, 5].\n\n## Priority and Severity Rating for **CVE-2021-28550**\n\n* Priority - 1 (Highest): this update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours) [3].\u202f\n* Severity - Critical (Highest): a vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware [3].\u202f\n\n# Affected Products\n\nThe following products could be affected by the vulnerability [2]:\n\n| Product           | Affected Versions                    | Platform        |\n| :---------------: | :------------------------------------| :-------------: |\n| Acrobat DC        | 2021.001.20150\u202fand\u202fearlier\u202fversions\u202f\u202f| Windows         |\n| Acrobat Reader DC | 2021.001.20150\u202fand\u202fearlier\u202fversions\u202f\u202f| Windows         |\n| Acrobat DC        | 2021.001.20149\u202fand\u202fearlier\u202fversions\u202f\u202f| MacOS           |\n| Acrobat Reader DC | 2021.001.20149\u202fand\u202fearlier versions\u202f\u202f| MacOS           |\n| Acrobat 2020      | 2020.001.30020 and earlier versions\u202f\u202f| Windows & macOS |\n| Acrobat DC        | 2020.001.30020 and earlier versions\u202f\u202f| Windows & macOS |\n| Acrobat 2017      | 2017.011.30194\u202f and\u202fearlier\u202fversions\u202f| Windows & macOS |\n| Acrobat DC        | 2017.011.30194\u202f and\u202fearlier\u202fversions\u202f| Windows & macOS |                                                    \u202f                \n\n\n# Recommendations\n\nIt is recommended to update all affected software to the latest versions.\n\n# References\n\n[1] <https://helpx.adobe.com/security.html>\n\n[2] <https://helpx.adobe.com/security/products/acrobat/apsb21-29.html>\n\n[3] <https://helpx.adobe.com/security/severity-ratings.html>\n\n[4] <https://www.zerodayinitiative.com/blog/2021/5/11/the-may-2021-security-update-review>\n\n[5] <https://securityaffairs.co/wordpress/117792/security/windows-zero-day-4.html>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>12/05/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>Adobe has released 12 updates addressing 44 vulnerabilities in Experience Manager, InDesign, Illustrator, InCopy, Adobe Genuine Service, Acrobat and Reader, Magento, Creative Cloud Desktop, Media Encoder, After Effects, Medium, and Animate [1, 4]. The most critical of them -- CVE-2021-28550 -- may allow attackers to remotely execute code [3].</p><h2 id=\"technical-details\">Technical Details</h2><p>This advisory only describes the most <strong>critical</strong> vulnerability <strong>CVE-2021-28550</strong>, because Adobe has received a report that CVE-2021-28550 vulnerability <strong>has been exploited</strong> in the wild in limited attacks targeting Adobe Reader users on Windows.</p><p>In addition, Adobe has not provided any technical details about the attacks, but this vulnerability could be exploited by an attacker by tricking victims into opening specially crafted PDF with an affected version of Acrobat Reader [2, 5].</p><h3 id=\"priority-and-severity-rating-for-cve-2021-28550\">Priority and Severity Rating for <strong>CVE-2021-28550</strong></h3><ul><li>Priority - 1 (Highest): this update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours) [3].\u202f</li><li>Severity - Critical (Highest): a vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware [3].\u202f</li></ul><h2 id=\"affected-products\">Affected Products</h2><p>The following products could be affected by the vulnerability [2]:</p><table><thead><tr><th style=\"text-align:center;\">Product</th><th style=\"text-align:left;\">Affected Versions</th><th style=\"text-align:center;\">Platform</th></tr></thead><tbody><tr><td style=\"text-align:center;\">Acrobat DC</td><td style=\"text-align:left;\">2021.001.20150\u202fand\u202fearlier\u202fversions</td><td style=\"text-align:center;\">Windows</td></tr><tr><td style=\"text-align:center;\">Acrobat Reader DC</td><td style=\"text-align:left;\">2021.001.20150\u202fand\u202fearlier\u202fversions</td><td style=\"text-align:center;\">Windows</td></tr><tr><td style=\"text-align:center;\">Acrobat DC</td><td style=\"text-align:left;\">2021.001.20149\u202fand\u202fearlier\u202fversions</td><td style=\"text-align:center;\">MacOS</td></tr><tr><td style=\"text-align:center;\">Acrobat Reader DC</td><td style=\"text-align:left;\">2021.001.20149\u202fand\u202fearlier versions</td><td style=\"text-align:center;\">MacOS</td></tr><tr><td style=\"text-align:center;\">Acrobat 2020</td><td style=\"text-align:left;\">2020.001.30020 and earlier versions</td><td style=\"text-align:center;\">Windows &amp; macOS</td></tr><tr><td style=\"text-align:center;\">Acrobat DC</td><td style=\"text-align:left;\">2020.001.30020 and earlier versions</td><td style=\"text-align:center;\">Windows &amp; macOS</td></tr><tr><td style=\"text-align:center;\">Acrobat 2017</td><td style=\"text-align:left;\">2017.011.30194\u202f and\u202fearlier\u202fversions</td><td style=\"text-align:center;\">Windows &amp; macOS</td></tr><tr><td style=\"text-align:center;\">Acrobat DC</td><td style=\"text-align:left;\">2017.011.30194\u202f and\u202fearlier\u202fversions</td><td style=\"text-align:center;\">Windows &amp; macOS</td><td></td></tr></tbody></table><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended to update all affected software to the latest versions.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://helpx.adobe.com/security.html\">https://helpx.adobe.com/security.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://helpx.adobe.com/security/products/acrobat/apsb21-29.html\">https://helpx.adobe.com/security/products/acrobat/apsb21-29.html</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://helpx.adobe.com/security/severity-ratings.html\">https://helpx.adobe.com/security/severity-ratings.html</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.zerodayinitiative.com/blog/2021/5/11/the-may-2021-security-update-review\">https://www.zerodayinitiative.com/blog/2021/5/11/the-may-2021-security-update-review</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://securityaffairs.co/wordpress/117792/security/windows-zero-day-4.html\">https://securityaffairs.co/wordpress/117792/security/windows-zero-day-4.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}