THREAT UPDATE
Critical security updates for many Adobe products have recently been released for both Mac OS and Windows. These updates are extremely important as they could lead to potential machine and network compromise. The most popular Adobe products, Acrobat and Reader, have particularly critical vulnerabilities. rocketwise recommends applying the updates for every Adobe product, which were published on June 8, 2021. We also recommend reviewing the references section below for more in-depth detail about the vulnerabilities.
TECHNICAL DETAIL & ADDITIONAL INFORMATION
WHAT IS THE THREAT?
Two critical vulnerabilities were patched by Adobe in their most recent update on Adobe Acrobat and Adobe Reader. These updates prevent malicious actors from taking advantage of a vulnerability that could lead to arbitrary code execution in the context of the current user. Attackers could exploit an out-of-bounds read buffer overflow where the program reads in more input than designed to handle, and then could be provided malicious commands to execute. Threat actors could also try to exploit a “use after free vulnerability”, where programs reference memory after it has been freed, causing it to execute code.
WHY IS IT NOTEWORTHY?
This is especially noteworthy due to the severity of the vulnerabilities and the popularity of the software. Considering the widespread use of Adobe Acrobat and Adobe Reader, attackers could easily exploit these vulnerabilities to gain escalated privileges within a network. The context of the vulnerabilities themselves are very dangerous and shows that even popular software with whole development teams can have critical vulnerabilities.
WHAT IS THE EXPOSURE OR RISK?
Once exploited, attackers may have privileges to execute code within your environment under the context of the user running the program. For example, if an administrative user were running unpatched versions of Adobe Acrobat or Reader, a threat actor would have administrative rights on the machine if this vulnerability was exploited. From there, they could further penetrate the network by establishing persistence to gather information. After the attackers in this specific scenario were satisfied with their ability to regain access, they could later deploy ransomware to encrypt data and machines on the network.
The above scenario is highly likely as several software vendors within the dealership industry require that users run their applications “as an administrator.” We strongly discourage you from doing this! If you have questions about how to overcome this, feel free to reach out to us.
WHAT ARE THE RECOMMENDATIONS?
rocketwise recommends that administrators follow the guidelines below:
- Apply the recent Adobe Acrobat and Adobe Reader patches ASAP.
- Review your AD infrastructure to ensure there are no strange accounts or accounts that should already be disabled.
- Maintain a proper patching policy for all machines.
- Review network connections on the firewall or other network appliances to confirm that there are no malicious connections to your network.
- Explore the documentation below to identify other adobe products that require updates.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://helpx.adobe.com/security/products/acrobat/apsb21-37.html
- https://helpx.adobe.com/security.html
If you have any questions, please contact our team today.
