Cyber Security Threat Summary:
Adobe recently addressed a critical flaw in Acrobat and Reader that could enable actors to execute malicious code on targeted systems. Tracked as CVE-2023-26369, the vulnerability has been rated 7.8 out of 10 on the CVSS scale, indicating a high level of severity. According to the vendor, CVE-2023-26369 relates to an out-of-bounds write issue and can be exploited to execute arbitrary code via specially crafted PDF documents.
CVE-2023-26369 affects both Windows and macOS systems running Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020. Below is a list of the impacted versions and updated version releases:
- Acrobat DC (23.003.20284 and earlier versions) - Fixed in 23.006.20320
- Acrobat Reader DC (23.003.20284 and earlier versions) - Fixed in 23.006.20320
- Acrobat 2020 (20.005.30514 for Windows and earlier versions, 20.005.30516 for macOS and earlier versions) - Fixed in 20.005.30524
- Acrobat Reader 2020 (20.005.30514 for Windows and earlier versions, 20.005.30516 for macOS and earlier versions) - Fixed in 20.005.30524
Security Officer Comments:
According to Adobe, it is aware of active exploitation attempts, where CVE-2023-26369 has been “exploited in limited attacks targeting Adobe Acrobat and Reader.” The vendor did not release additional details regarding these attacks. This is likely to prevent threat actors from using these details to create custom exploits that could be used to target users before they get a chance to apply the updates.
Empowering end users with the knowledge and awareness to recognize and avoid potential threats is a fundamental element of any robust cybersecurity strategy. While vulnerabilities may persist, a vigilant and well-informed user base can significantly reduce the risk of successful cyberattacks. It's a shared responsibility that starts with each individual, making cybersecurity a collective endeavor that strengthens our overall defenses against cyber threats. Additionally, users and network administrators should update software installations to the latest versions by following the instructions below:
The latest product versions are available to end users via one of the following methods:
- Users can update their product installations manually by choosing Help > Check for Updates.
- The products will update automatically, without requiring user intervention, when updates are detected.
- The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.
For IT administrators (managed environments):
- Refer to the specific release note version for links to installers.
- Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on Apple Remote Desktop and SSH.