Threat Response – Vulnerabilities in Adobe Reader and Acrobat
On Tuesday 11th of May, Adobe released a patch for multiple critical vulnerabilities in Adobe Reader and Acrobat on Windows and MacOS. Adobe indicates in the “Adobe Security Bulletin” that one of the vulnerabilities, CVE-2021-28550, has been exploited in the wild targeting Adobe Reader users on Windows. Via this message, we would like to inform you about the threat, and the possible mitigation steps that can be taken.
Adobe did not release technical specifics regarding the vulnerabilities. The vulnerabilities could lead to arbitrary code execution in the context of the current user. This makes it possible for an attacker to create a specifically prepared PDF file that, when opened by Adobe Reader, can execute arbitrary code. The attacker can use this to install malware on the system. Therefore, Northwave assesses the impact as high.
No public exploit code is available currently, however Adobe indicates that one of the vulnerabilities, CVE-2021-28550, has been exploited in the wild targeting Adobe Reader users on Windows. Therefore, Northwave assesses the risk of this vulnerability to be high.
Adobe released patches to resolve these vulnerabilities. Northwave recommends installing the patch immediately. There are no other known mitigations available at the moment.
What will Northwave do?
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information, you can call us by phone or send us an email.
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)
Disclaimer applies, see below.
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.