Urgent Update Required: Adobe Patches Acrobat Reader Zero-Day Vulnerability

September 11, 2024

A cybersecurity expert is encouraging users to update Adobe Acrobat Reader following the release of a patch for a remote code execution zero-day vulnerability, for which a public proof-of-concept (PoC) exploit exists. This flaw, known as CVE-2024-41869, is a critical 'use after free' vulnerability that could result in remote code execution if a specifically crafted PDF document is opened. A 'use after free' bug occurs when a program attempts to access data from a memory location that has already been freed, leading to unpredictable behaviour such as program crashes or freezing. However, if a threat actor manages to store malicious code in that memory location and the program subsequently accesses it, this could result in the execution of the malicious code on the targeted device. The vulnerability has now been addressed in the latest versions of Acrobat Reader and Adobe Acrobat.

The zero-day vulnerability in Acrobat Reader was identified in June through EXPMON, a sandbox-based platform developed by cybersecurity researcher Haifei Li, designed to detect advanced exploits like zero-days or hard-to-detect exploits. Li created EXPMON as he observed a lack of sandbox-based detection and analysis systems specifically focusing on detecting threats from an exploit or vulnerability perspective. Existing systems largely focus on malware detection.

Li explained, 'All the other systems do detection from a malware perspective. The exploit/vulnerability perspective is much needed if you want to go more advanced (or, early) detection.' He added that if no malware is dropped or executed due to certain conditions, or if the attack does not use any malware at all, such threats would be missed by these systems. Exploits function differently from malware, necessitating a different detection approach.

The zero-day vulnerability was discovered after a large number of samples from a public source were analyzed by EXPMON. The samples included a malicious PDF with a PoC exploit that caused a crash. Although the PoC exploit is a work in progress and does not contain any malicious payloads, it was confirmed to exploit a 'user after free' bug, which could be used for remote code execution.

After the flaw was reported to Adobe by Li, a security update was released in August. However, the update did not fully resolve the flaw, and it could still be triggered after closing various dialogs. The EXPMON X account tweeted, 'We tested the (exactly the same) sample on the 'patched' Adobe Reader version, it displayed additional dialogs, but if the user clicked/closed those dialogs, the app still crashed! Same UAF bug!'.

Adobe released a new security update yesterday that fixes the bug, now known as CVE-2024-41869. Li plans to release details on how the bug was detected on EXPMON's blog and provide further technical information in an upcoming Check Point Research report.

Latest News

• Taiwanese Drone Makers Targeted by 'WordDrone' Attack Exploiting Old MS Word Flaw
• Ivanti Addresses Critical RCE Vulnerability in Endpoint Management Software
• Microsoft Rectifies Zero-Day Flaw in Windows Smart App Control Exploited Since 2018
• Microsoft's September 2024 Patch Tuesday Addresses 79 Security Flaws Including 4 Zero-days
• NoName Ransomware Gang Expands Tactics, Now Deploying RansomHub Malware