This Cybersecurity Threat Advisory shares information on the new Adobe zero-day vulnerability detected in Acrobat and Reader. Adobe has taken proactive measures by issuing security updates to this zero-day vulnerability, which has been exploited in attacks. While comprehensive details about the attacks remain undisclosed, it has been stated that this zero-day vulnerability impacts both Windows and macOS operating systems. Barracuda MSP recommends deploying Adobe’s security updates as soon as possible.
What is the threat?
Adobe recently issued security updates to address a zero-day vulnerability, identified as CVE-2023-26369, which has been exploited in limited attacks targeting Adobe Acrobat and Reader. This critical security flaw allows attackers to execute arbitrary code after successfully exploiting an out-of-bounds write weakness. Additionally, Adobe has patched security flaws in Adobe Connect and Adobe Experience Manager software, identified as CVE-2023-29305, CVE-2023-29306, CVE-2023-38214, and CVE-2023-38215, which can be leveraged for reflected cross-site scripting (XSS) attacks.
Why is it noteworthy?
There are several factors that are of concern. First, the zero-day vulnerability, CVE-2023-26369, is actively exploited by threat actors, emphasizing the immediate need for mitigation measures as attackers leverage this vulnerability before a patch becomes available. Second, the out-of-bounds write vulnerability poses a severe risk, enabling unauthorized code execution and is a recurring cause of numerous actively exploited vulnerabilities. Third, the security flaws in Adobe Connect and Adobe Experience Manager expose users to reflected cross-site scripting (XSS) attacks, potentially jeopardizing their sensitive browser-stored data. Finally, Adobe’s previous history of zero-day incidents underscores the persistent challenges in securing software products, reinforcing the importance of proactive cybersecurity measures.
What is the exposure or risk?
The exposure and risk associated with these threats are as follows:
- CVE-2023-26369 Exposure: Organizations using Adobe Acrobat and Reader, particularly on Windows and macOS systems, are at risk. Attackers can exploit this vulnerability with relatively low complexity, although it requires local access and user interaction. Immediate patching is strongly advised to mitigate the risk.
- Adobe Connect and Experience Manager Exposure: Users of Adobe Connect and Adobe Experience Manager are susceptible to XSS attacks due to the recently patched vulnerabilities (CVE-2023-29305, CVE-2023-29306, CVE-2023-38214, CVE-2023-38215). These attacks could result in data theft or compromise of sensitive information.
- Overall Risk: The presence of actively exploited zero-day vulnerabilities and other security issues underscores the importance of keeping software and systems up-to-date with the latest security patches. Failure to do so can lead to potential data breaches, unauthorized access, and disruptions in system functionality.
The complete list of affected products and versions is in the table below.
|Acrobat DC||Continuous||23.003.20284 and earlier|
|Acrobat Reader DC||Continuous||23.003.20284 and earlier|
|Acrobat 2020||Classic 2020||20.005.30516 (Mac) and earlier
20.005.30514 (Win) and earlier
|Acrobat Reader 2020||Classic 2020||20.005.30516 (Mac) and earlier
20.005.30514 (Win) and earlier
What are the recommendations?
Barracuda MSP recommends the following actions:
- Apply security updates to affected software versions by following the instructions below. The latest product versions are available to end users via one of the following methods:
- Users can update their product installations manually by choosing Help > Check for Updates.
- The products will update automatically, without requiring user intervention, when updates are detected.
- The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.
For more in-depth information about the recommendations, please visit the following links:
- Adobe warns of critical Acrobat and Reader zero-day exploited in attacks (bleepingcomputer.com)
- It’s 2023 and out-of-bounds write bugs are still number one • The Register
- Adobe Security Bulletin
If you have any questions regarding this Cybersecurity Threat Advisory, please contact our Security Operations Center.