The alarm was sounded by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which urged users to apply the patch and protect their premises immediately.
The flaw, discovered by HackSys researchers Ashfaq Ansari and Krishnakant Patil, is described as a use-after-free bug and is being tracked as CVE-2023-21608. It carries a severity score of 7.8 (High) and can be abused by having the victim run a malicious file on the target endpoint.
Abuse in the wild
The flaw affects multiple products and versions, including Acrobat DC - 22.003.20282 (Windows), 22.003.20281 (Mac), and earlier versions (addressed in 22.003.20310); Acrobat Reader DC - 22.003.20282 (Windows), 22.003.20281 (Mac), and earlier versions (addressed in 22.003.20310), Acrobat 2020 - 20.005.30418 and earlier versions (addressed in 20.005.30436); and Acrobat Reader 2020 - 20.005.30418 and earlier versions (addressed in 20.005.30436).
CISA said that the flaw is being “actively exploited” without elaborating further, meaning besides knowing hackers are abusing the flaw, we don’t know which groups are abusing it, or against which entities - or even how many organizations are affected.
This is the second vulnerability discovered in Adobe Acrobat and Reader this year, with evidence of abuse in the wild. A month ago, news broke of CVE-2023-26369, a vulnerability whose “successful exploitation could lead to arbitrary code execution.”
To run the malware, the victim was required to open a specially crafted PDF document. Federal Civilian Executive Branch (FCEB) agencies should apply the available patches by the end of October this year.
Via The Hacker News
More from TechRadar Pro
- Microsoft Defender just got a major security upgrade aimed at quarantining hackers
- Here's a list of the best firewalls today
- These are the best free PDF readers right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.