Adobe has released a security update to address a vulnerability affecting both Windows and Mac versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017 and Acrobat Reader 2017.
In a security bulletin, the company acknowledged that it has received reports of the vulnerability being “exploited in the wild in limited attacks targeting Adobe Reader users on Windows.”
The flaw, labeled CVE-2021-28550, could lead to arbitrary code execution if successfully exploited.
Cybersecurity experts, like nVisium director of infrastructure Shawn Smith, said code execution is a serious threat that can potentially cost hundreds of labor hours to manually verify every instance of some software has been updated.
Sean Nikkel, senior cyber threat intel analyst at Digital Shadows, said the use of malicious PDF files has been a staple of various nation-state actors, as well as criminal actors, for years because of the ubiquity of Adobe products in use for the private and public sectors.
He called Adobe the “Microsoft of a lot of office productivity software” and added that attackers historically have used phishing emails with PDF attachments to entice users to download and open files, generally under the pretense of it being a critical document for review, such as a financial document, news article, or a shipping label.
“In some other instances, a would-be attacker could create a malicious website that is also hosting weaponized PDF files,” Nikkel said.
“Generally, PDF documents, which frequently are opened either via browser or a reader such as Adobe Acrobat or Reader, can contain malicious Javascript or allow some other system interaction that allows code execution or other vectors of attack to occur, sometimes without the user knowing.”
Nikkel explained that some researchers are reporting massive increases in attacks with weaponized documents and theorizing the increase resulted from widespread remote work over the past year.