Severe zero-day vulnerabilities in Adobe's Acrobat and Reader
Urgent updates to address serious zero-day vulnerabilities in Adobe's Acrobat and Reader
Adobe has released security updates to fix a zero-day vulnerability in Acrobat and Reader, along with other fixed vulnerabilities. The attacks exploit a flaw that allows the execution of unauthorized code. Users are encouraged to install updates to protect themselves.
Adobe has released security updates to fix a zero-day vulnerability in Acrobat and Reader that has been exploited in attacks. Although detailed information about the attacks has not yet been disclosed, this zero-day is known to affect both Windows and macOS systems.
“Adobe is aware that CVE-2023-26369 has seen limited exploitation in targeted attacks on Adobe Acrobat and Reader,” the company said in a security communication published today.
The serious security flaw, identified as CVE-2023-26369, allows attackers to execute code after exploiting an out-of-bounds write weakness. While threat actors can exploit it with low complexity attacks without requiring privileges, the flaw can only be exploited by local attackers and also requires user interaction, according to its CVSS v3.1 assessment. CVE-2023-26369 has been classified by Adobe as high priority, and the company strongly advises administrators to install the update as soon as possible, preferably within 72 hours.
Affected products and versions
Below is the complete list of affected products and versions:
- Acrobat DC: version 23.003.20284 and earlier
- Acrobat Reader DC: version 23.003.20284 and earlier
- Acrobat 2020: version 20.005.30516 (Mac) and earlier, version 20.005.30514 (Win) and earlier
- Acrobat Reader 2020: version 20.005.30516 (Mac) and earlier, version 20.005.30514 (Win) and earlier
Other vulnerabilities fixed by Adobe
Today, Adobe patched additional security vulnerabilities that allowed attackers to arbitrarily execute code on systems that were not updated with Adobe Connect and Adobe Experience Manager software. Bugs in Connect (CVE-2023-29305 and CVE-2023-29306) and Experience Manager (CVE-2023-38214 and CVE-2023-38215), which were fixed today, can all be exploited to launch scripting attacks between sites (XSS) reflected. Such bugs can be exploited to access cookies, session tokens, or other sensitive information stored by victims' web browsers.
In July, Adobe released an emergency security update for ColdFusion to address a limited exploit zero-day (CVE-2023-38205). A few days later, CISA ordered federal agencies to secure their Adobe ColdFusion servers on networks against the actively exploited bug by August 10.
Follow us on Instagram for more pills like this09/12/2023 21:03
Editorial AI