Yesterday (10/10/23), a high-severity flaw in Adobe Acrobat Reader was added to CISA’s (United States Cybersecurity and Infrastructure Security Agency) database of Known Exploited Vulnerabilities. There is evidence that the flaw is being actively exploited, though no details around the nature of exploitation or the threat actors involved have been released at this time.
Categorized as a “Use-After-Free” bug, (where dynamic memory location pointers are not properly cleared by a program, creating an error that can be used by attackers) CVE-2023-21608 has a CVSS score of 7.8 and has had a proof-of-concept exploit for the flaw available for use that was first circulated in January of 2023. This exploit is capable of executing remote code on the victim’s system with the privileges of the current user account.
The good news is that a patch for the flaw was released around the same time as the Proof of Concept exploit. The bad news is that Adobe Acrobat Reader is a very commonly-used and regularly-downloaded piece of software across countless industries and job roles. Managed, distributed installations of the patch(es) that repair this flaw should be deliberate and thorough. The following versions of the software are impacted:
- Acrobat DC – 22.003.20282 (Windows), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310)
- Acrobat Reader DC – 22.003.20282 (Windows), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310)
- Acrobat 2020 – 20.005.30418 and earlier versions (fixed in 20.005.30436)
- Acrobat Reader 2020 – 20.005.30418 and earlier versions (fixed in 20.005.30436)
For information on Adobe’s security update from January, 2023, please click here: https://helpx.adobe.com/security/products/acrobat/apsb23-01.html
For more information on CVE-2023-21608, please click here:
https://nvd.nist.gov/vuln/detail/CVE-2023-21608
