Adobe has released its Patch Tuesday update for September 2023 [5], addressing a critical vulnerability in Adobe Acrobat and Reader [1] [2] [5]. This vulnerability allows attackers to execute arbitrary code on affected systems by opening a specially crafted PDF document. It has already been exploited in limited attacks [3].
Description
The affected versions include Acrobat Reader versions 23.003.20284 (and earlier), 20.005.30516 (and earlier), and 20.005.30514 (and earlier) on both Windows and macOS. Adobe has promptly addressed this vulnerability in the latest update, which is classified as high risk. They recommend installing the security patch within 72 hours [2].
In addition to the updates for Acrobat and Reader, security updates have also been released for Adobe Experience Manager (AEM) and Adobe Connect. The severity rating of the vulnerability is 7.8 on the CVSS scoring system. Adobe has not provided any additional details about the issue or the specific targeting involved [6], but they have acknowledged the exploitation of this vulnerability in limited attacks targeting Adobe Acrobat and Reader.
To exploit this vulnerability [4] [5], a user must open a malicious file [4]. Users can update their installations manually or download the full installer from the Acrobat Reader Download Center [2].
Conclusion
This critical vulnerability in Adobe Acrobat and Reader poses a significant risk to affected systems. It is crucial for users to promptly install the security patch to mitigate the potential for arbitrary code execution. The limited attacks exploiting this vulnerability highlight the importance of staying vigilant and keeping software up to date. Adobe’s release of security updates for other products also underscores the need for comprehensive protection across all Adobe software.
References
[1] https://thehackernews.com/2023/09/update-adobe-acrobat-and-reader-to.html
[2] https://securityonline.info/adobe-fixes-critical-zero-day-cve-2023-26369-vulnerability/
[3] https://www.helpnetsecurity.com/2023/09/12/microsoft-adobe-fix-zero-days-exploited-by-attackers-cve-2023-26369-cve-2023-36761-cve-2023-36802/
[4] https://www.tenable.com/cve/CVE-2023-26369
[5] https://secoperations.wordpress.com/2023/09/14/update-adobe-acrobat-and-reader-to-patch-actively-exploited-vulnerability/
[6] https://cyber.vumetric.com/security-news/2023/09/13/update-adobe-acrobat-and-reader-to-patch-actively-exploited-vulnerability/