Adobe’s Acrobat Reader, the most popular PDF reader for many of us, is vulnerable to a stream that could allow remote attackers to execute malicious code on the target device.
The vulnerability is described as a “user after free” error and is tracked as CVE-2024-41896. A “use after free” error occurs when an application attempts to access data in a memory location that has previously been freed. If a malicious actor manages to implement malicious code in that freed piece of memory, it can be executed on the device and thus compromised.
It was discovered by cybersecurity researcher Haifei Li, who created a sandbox platform called EXPMON designed to detect advanced zero-day exploits. After multiple files were submitted to the platform, the flaw was discovered, and with it the fact that it is actively being exploited in the wild. The silver lining is that the weaponized .PDF files did not distribute malware, but simply crashed targeted endpoints, which could also mean that the PoC is still in its early stages or experimental.
A solution is available
However, now that the news is out, it is also safe to assume that various threat actors will be looking for unpatched Adobe Acrobat Reader variants to exploit. Therefore, it is crucial that IT administrators implement the solution as soon as possible.
While we don’t know who’s using it, or against whom, we do know that it all starts with a weaponized .PDF document, so we can safely assume that the attack starts with a phishing email. PDF files are often used for invoices, purchase orders, and the like.
Adobe released a patch last month that didn’t fully address the issue. But earlier this week, the bug was finally fixed and given a new tracking number: CVE-2024-41869.
Via BleepingComputer