Description:
Security updates are released for Adobe Reader and Acrobat to address multiple vulnerabilities. A remote attacker would entice a targeted user to open a specially crafted PDF file to exploit the vulnerabilities.
Reports indicated that the arbitrary code execution vulnerability (CVE-2021-28550) in Adobe Reader has been exploited in the wild for attacks targeting Windows users. System administrators are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.
Affected Systems:
- Acrobat DC for Windows Continuous 2021.001.20150 and earlier versions
- Acrobat Reader DC for Windows Continuous 2021.001.20150 and earlier versions
- Acrobat DC for macOS Continuous 2021.001.20149 and earlier versions
- Acrobat Reader DC for macOS Continuous 2021.001.20149 and earlier versions
- Acrobat 2020 for Windows and macOS Classic 2020 2020.001.30020 and earlier versions
- Acrobat Reader 2020 for Windows and macOS Classic 2020 2020.001.30020 and earlier versions
- Acrobat 2017 for Windows and macOS Classic 2017 2017.011.30194 and earlier versions
- Acrobat Reader 2017 for Windows and macOS Classic 2017 2017.011.30194 and earlier versions
Impact:
A successful exploitation could lead to arbitrary code execution, privilege escalation and information disclosure on an affected system.
Recommendation:
Users of affected systems should update the Adobe Reader and Acrobat to the following versions to address the issue. The updates can be obtained by using the auto-update mechanism or by downloading at the following URLs:
- Acrobat DC for Windows and macOS Continuous 2021.001.20155
https://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotesDC/index.html#continuous-track
- Acrobat Reader DC for Windows and macOS Continuous 2021.001.20155
https://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotesDC/index.html#continuous-track
- Acrobat 2020 for Windows and macOS Classic 2020 2020.001.30025
https://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotesDC/index.html#classic-track
- Acrobat Reader 2020 for Windows and macOS Classic 2020 2020.001.30025
https://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotesDC/index.html#classic-track
- Acrobat 2017 for Windows and macOS Classic 2017 2017.011.30196
https://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotesDC/index.html#id3
- Acrobat Reader 2017 for Windows and macOS Classic 2017 2017.011.30196
https://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotesDC/index.html#id3
More Information:
- https://helpx.adobe.com/security/products/acrobat/apsb21-29.html
- https://www.hkcert.org/security-bulletin/adobe-monthly-security-update-may-2021
- https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/adobe-releases-security-updates-multiple-products
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21038
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21044
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21086
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28550
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28553
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28555
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28557 (to CVE-2021-28562)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28564
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28565