Adobe’s Acrobat Reader, the go-to PDF reader for many of us, is vulnerable to a flow that allows threat actors to remotely run malicious code on the target device.
The vulnerability is described as a “user after free” flaw, and is tracked as CVE-2024-41896. A “use after free” flaw happens when a program tries to access data in a memory location that was previously freed. If a malicious actor manages to deploy malicious code in that freed piece of memory real estate, it could be executed on the device and, consequently, compromised.
It was discovered by cybersecurity researcher Haifei Li, who created a sandbox platform called EXPMON, designed to detect advanced zero-day exploits. After multiple files were submitted to the platform, the flaw was discovered, and with it the fact that it is being actively exploited in the wild. The silver lining here is that the weaponized .PDF files were not deploying any malware, but were simply crashing targeted endpoints, which could also mean that the PoC is still in its infancy or experimental stage.
A fix is out there
However, now that the news is out, it is also safe to assume that different threat actors will start looking for unpatched Adobe Acrobat Reader variants to use. Therefore, it is pivotal that IT admins apply the fix as soon as possible.
While we don’t know who is using it, or against whom, we do know that it all begins with a weaponized .PDF document, so it’s safe to assume that the attack starts with a phishing email. PDF files are often used as invoices, purchase orders, and similar.
Adobe released a patch last month, which did not properly address the problem – but the bug was ultimately fixed earlier this week, and was given a new tracking number – CVE-2024-41869.
Via BleepingComputer