A critical vulnerability in Adobe Reader has been exploited in “limited attacks.”
Adobe is warning of a critical vulnerability that has been exploited in the wild to target Adobe Reader users on Windows.
The vulnerability (CVE-2021-21017) has been exploited in “limited attacks,” according to Adobe’s Tuesday advisory, part of its regularly scheduled February updates. The flaw in question is a critical-severity heap-based buffer overflow flaw.
This type of buffer-overflow error occurs when the region of a process’ memory used to store dynamic variables (the heap) can be overwhelmed. If a buffer-overflow occurs, it typically causes the affected program to behave incorrectly. With this flaw in particular, it can be exploited to execute arbitrary code on affected systems.
“Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS,” said Adobe on Tuesday. “These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.”
Adobe Flaw: Security Updates
Acrobat is Adobe’s popular family of application software and web services used to view, create and manage files. CVE-2021-21017, which was anonymously reported, affects the following Adobe Acrobat Reader versions:
- Acrobat Reader DC versions 2020.013.20074 and earlier for Windows and macOS
- Acrobat Reader 2020 versions 2020.001.30018 and earlier for Windows and macOS
- Acrobat Reader 2017 versions 2017.011.30188 and earlier for Windows and macOS
The flaw has been patched in the following versions:
- Acrobat Reader DC version 2021.001.20135
- Acrobat Reader 2020 version 2020.001.30020
- Acrobat Reader 2017 version 2017.011.30190
These patches are a priority level 1, which according to Adobe means they resolve “vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.”
“Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours),” according to its update.
Other Adobe Acrobat and Reader Critical Flaws
Including this exploited flaw, Adobe patched flaws tied to 23 CVEs overall in Acrobat and Reader – including 17 critical-severity CVEs.
Most of these critical flaws could allow for arbitrary code execution, including a path traversal glitch (CVE-2021-21037), integer overflow error (CVE-2021-21036) and out-of-bounds write issues (CVE-2021-21044, CVE-2021-21038). Also patched were buffer overflow flaws (CVE-2021-21058, CVE-2021-21059, CVE-2021-21062, CVE-2021-21063) and use-after-free errors (CVE-2021-21041, CVE-2021-21040, CVE-2021-21039, CVE-2021-21035, CVE-2021-21033, CVE-2021-21028 and CVE-2021-21021).
A critical improper access control flaw (CVE-2021-21045) was also patched that allowed for privilege execution.
Critical Magento Security Updates
In addition to Acrobat and Reader security updates, Adobe also issued patches for critical vulnerabilities in Magento, its e-commerce platform.
Seven critical flaws were patched as part of this security update. All these flaws, if exploited, could lead to arbitrary code execution. These flaws include three security bypass issues (CVE-2021-21015, CVE-2021-21016 and CVE-2021-21025), a command injection flaw (CVE-2021-21018), an XML injection vulnerability (CVE-2021-21019), a file upload allow list bypass (CVE-2021-21014) and a cross-site scripting flaw (CVE-2021-21030).
Affected are Magento Commerce and Magento open source, 2.4.1 and earlier versions (with a fix in 2.4.2); 2.4.0-p1 and earlier versions (with a fix in 2.4.1-p1) and 2.3.6 and earlier versions (with a fix in 2.3.6-p1).
The update is a priority level 2, which according to Adobe “resolves vulnerabilities in a product that has historically been at elevated risk.”
Magento would be categorized as an “elevated risk” because it is commonly targeted by attackers like the Magecart threat group to target e-commerce stores for cyberattacks like web skimming. However, there are currently no known exploits for these flaws, said Adobe.
Other Security Flaws in Adobe Products
Adobe on Tuesday also patched critical-severity flaws in Adobe Photoshop (CVE-2021-21049, CVE-2021-21050, CVE-2021-21048, CVE-2021-21051 and CVE-2021-21047), Adobe Animate (CVE-2021-21052) and Adobe Illustrator (CVE-2021-21053, CVE-2021-21054).
However these patches came with a priority level 3 ranking, which means that they resolve vulnerabilities in a product that “has historically not been a target for attackers.”
For these flaws, “Adobe recommends administrators install the update at their discretion,” according to the security update.
Adobe’s February fixes come on the heels of a busy January security update, when the company patched seven critical vulnerabilities. The impact of the most serious of these flaws ranged from arbitrary code execution to sensitive information disclosure.
Is your business an easy mark? Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register here for the Wed., Feb. 24 LIVE webinar.