As today is May 21 Tuesday Patch and many software vendor like Microsoft, VMware, Oracle etc have released an security updates of it's products. Among these Adobe had also released the patch for its products and one important patch is of CVE-2021-28550, Adobe Acrobat & Reader use-after-free 0-day actively exploited in-the-wild.
Adobe Reader users have once again become the target of a zero-day attack that allows attackers to take full control of systems in the worst-case scenario. Adobe today released security updates for the vulnerability that was exploited before the release of the patch. The software company speaks of "limited attacks" against Reader users on Windows, but no further details are given.
The vulnerability, identified as CVE-2021-28550, could allow an attacker to run arbitrary code with the privileges of the logged in user on the system when opening a malicious PDF file. In addition to the attacked zero-day vulnerability, ten other vulnerabilities in the PDF reader have also been fixed.
For years, Adobe Reader and Acrobat have been the target of zero-day attacks. In recent years, such attacks were no longer reported, until February this year , when Adobe has long reported another zero day in the PDF software.
Today that is the case again. Like the zero-day vulnerability in February, the vulnerability fixed today was reported to Adobe by an anonymous security researcher.
Users are advised to update "as soon as possible" to Acrobat DC or Acrobat Reader DC version 2021.001.20155, Acrobat 2017 or Acrobat Reader 2017 version 2017.011.30196, Acrobat 2020 or Acrobat Reader 2020 version 2020.001.30025 for Windows and macOS. As an example, Adobe mentions installing the updates within 72 hours.