Adobe warns of a vulnerability in Adobe Acrobat and Reader for Windows and macOS that is under active attack. Attackers can thus gain control over underlying systems via a heap-based buffer overflow.
The company writes this in a Security Bulletin. The most recent security update, APSB21-09 of Adobe Acrobat and Reader addresses a number of critical and important vulnerabilities in Acrobat, Magento, Photoshop, Animate, Illustrator, and Dreamweaver. The most important is a vulnerability in Acrobat and Reader: successful exploitation of these gives an attacker the possibility of arbitrary code execution. That is, an attacker can execute code in a victim’s operating system. Adobe says this vulnerability, CVE-2021-21017, has been actively exploited in the wild. This vulnerability causes a heap-based buffer overflow, which can be exploited by malicious people.
Adobe recommends that users update Adobe DC or Acrobat Reader DC, Acrobat and Reader 2017, and Acrobat and Reader 2020 as soon as possible to address this serious vulnerability, which has been proven to be exploitable. This concerns software on both Windows and macOS. In total, the updates fix 23 vulnerabilities, of which Adobe considers 17 ‘Critical’. The rest rate it as ‘Important’. It concerns several buffer overflow bugs, but also, for example, an improper access control that gives an attacker the opportunity to gain more rights so that they can perform more functions on a system.
In addition to Acrobat and Reader, Adobe also reports vulnerabilities for Magento, Illustrator, Animate, and Dreamweaver.
Bug CVE-2021-21017 was reported anonymously to Adobe. Adobe says it has seen the vulnerability exploited in the wild, but the company won’t provide further details. As a result, it is not known who became a victim of the vulnerability or whether critical data was stolen with it, but according to Adobe, the attacks are “limited attacks” targeting Adobe Reader users running Windows. Windows has also released an update for a zero day. This vulnerability in Win32 could allow an attacker who, for example, exploits the vulnerabilities in Acrobat and Reader, to increase his privileges on the system. That update will be installed automatically on most systems as soon as possible.