Adobe is warning customers of a critical zero-day bug actively exploited in the wild that affects its ubiquitous Adobe Acrobat PDF reader software. A patch is available, as part of the company’s Tuesday roundup of 43 fixes for 12 of its products, including Adobe Creative Cloud Desktop Application, Illustrator, InDesign, and Magento.
According to Adobe, the zero-day vulnerability, which is tracked as CVE-2021-28550, “has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.”
Windows users of Adobe Reader may be the only ones currently targeted. However, the bug affects eight versions of the software, including those running on Windows and macOS systems. Versions include:
- Windows Acrobat DC & Reader DC (versions 2021.001.20150 and earlier)
- macOS Acrobat DC & Reader DC (versions 2021.001.20149 and earlier)
- Windows & macOS Acrobat 2020 & Acrobat Reader 2020 (2020.001.30020 and earlier versions)
- Windows & macOS Acrobat 2017 & Acrobat Reader 2017 (2017.011.30194 and earlier versions)
Adobe did not release technical specifics regarding the zero-day vulnerability. Typically, those details become available after users have had an opportunity to apply the fix. “Users can update their product installations manually by choosing Help > Check for Updates,” Adobe wrote in its May security bulletin, posted Tuesday.
May Adobe Update Fixes Multiple Critical Bugs
Also part of Tuesday’s roundup of 43 fixes are several other bugs rated critical. In all, Adobe Acrobat received 10 critical and four important vulnerability patches. Seven out of those bugs included arbitrary code execution bugs. Three (CVE-2021-21044, CVE-2021-21038, CVE-2021-21086) of the vulnerabilities patched on Tuesday open systems up to out-of-bounds write attacks.
Adobe Illustrator received the next highest number of patches on Tuesday, with five critical code execution vulnerabilities fixed. According to Adobe’s description of the flaws, three (CVE-2021-21103, CVE-2021-21104, CVE-2021-21105) are memory corruption bugs that open systems up to hackers, triggering arbitrary code execution on targeted systems. Kushal Arvind Shah, a bug hunter with Fortinet’s FortiGuard Labs, is credited for the three memory corruption bugs.
Additional Adobe products receiving patches included Adobe Animate, Adobe Medium, Adobe After Effects, Adobe Media Encoder, Adobe Genuine Service, Adobe InCopy and Adobe Genuine Service.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!