Abode has disclosed a couple of new RCE vulnerability in Acrobat Reader affecting both macOS and Windows. Successful exploitation of these vulnerabilities can lead to arbitrary code execution, application denial of service, memory leak, privilege escalation, and security feature bypass. There is a need to fix this vulnerability. This article will show you how to fix CVE-2022-24091 (2), RCE vulnerability in Adobe Acrobat Reader.
User interaction is needed to exploit this vulnerability in a way that the target must open a malicious file or visit a malicious page. The flaw exists within the embedded font parsing. This problem exists due to a lack of proper validation of user data, resulting in a write past end of an allocated buffer. Attackers can use this vulnerability to execute malicious code in the context of the current process.
Table of Contents
Adobe Acrobat Reader DC
Adobe Acrobat Reader is a free cross-platform allowing users to create, view, collaborate, sign, and annotate PDF files. It’s an essential PDF tool that can convert any document virtually to PDF format while preserving the form and content of the original file.
Moreover, it gives the ability to create and edit images and texts in PDF documents. Adobe Acrobat Reader is an advanced version of the Adobe Reader with additional functionalities, such as the ability to scan a paper document.
Summary Of The New RCE Vulnerabilities In Adobe Acrobat Reader- CVE-2022-24091(2):
CVE-2022-24091(2) remote code execution vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Reader DC. It exists within the parsing of embedded fonts.
| Associated CVE ID | CVE-2022-24091(2) |
| Description | RCE Vulnerabilities in Adobe Acrobat Reader DC |
| Associated ZDI ID | – |
| CVSS Score | 7.8 High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Local |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | Low |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Version Affected By These RCE Vulnerabilities:
Here is the list of versions affected by CVE-2022-24091 (2) Remote Code Execution Vulnerability.
| Product | Track | Affected Versions | Platforms |
| Acrobat DC | Continuous | 21.007.20099 and earlier versions | Windows |
| Acrobat Reader DC | Continuous | 21.007.20099 and earlier versions | Windows |
| Acrobat DC | Continuous | 21.007.20099 and earlier versions | macOS |
| Acrobat Reader DC | Continuous | 21.007.20099 and earlier versions | macOS |
| Acrobat 2017 | Classic 2017 | 17.011.30204 and earlier versions | Windows & macOS |
| Acrobat Reader 2017 | Classic 2017 | 17.011.30204 and earlier versions | Windows & macOS |
| Acrobat 2020 | Classic 2020 | 20.004.30017 and earlier versions | Windows & macOS |
| Acrobat Reader 2020 | Classic 2020 | 20.004.30017 and earlier versions | Windows & macOS |
How To Fix CVE-2022-24091(2)- New RCE Vulnerabilities In Adobe Acrobat Reader DC?
This section will discuss how to fix CVE-2022-24091 (2), RCE vulnerabilities in Adobe Acrobat Reader. Adobe categorized the following updates with these priority ratings and recommends updating to the latest versions.
| Product | Updated Version | Platform | Priority Rating |
| Acrobat DC | 21.011.20039 | Windows & macOS | 2 |
| Acrobat Reader DC | 21.011.20039 | Windows & macOS | 2 |
| Acrobat 2017 | 17.011.30207 | Windows & macOS | 2 |
| Acrobat Reader 2017 | 17.011.30207 | Windows & macOS | 2 |
| Acrobat 2020 | 20.004.30020 | Windows & macOS | 2 |
| Acrobat Reader 2020 | 20.004.30020 | Windows & macOS | 2 |
Adobe Recommends Software Installation Updates To The Latest Versions Using The Following Instructions.
The product version is available to users through one of the following methods.
- For Individuals
- The product will automatically update without requiring user intervention after detecting the updates.
- Users can manually update product installations by selecting Help > Check for Updates.
- The Acrobat Reader installer can be downloaded here.
2. For IT administrators:
- Refer to particular release note version for installer links.
- Push the updates through your preferred methodologies, such as bootstrapper, AIP-GPO, SCUP/SCCM, or on macOS, Remote Desktop, and SSH.
Time needed: 10 minutes.
How to Update Adobe Acrobat manually?
- Check for Updates
Launch application then go to Help > Check for updates.
- Download the updates
You will see Download and Install button enabled if there are updates available.
- Close the program
Upon the completion of download process, you may see a prompt to close the application as shown here. close Acrobat and click Retry.
- Install the updates
You will see “Update Successful!” message upon the completion of the update. Close the app. That’s the end of the manual upgrade process.
We hope this post will help you know How to Fix CVE-2022-24091(2)- New RCE Vulnerabilities in Adobe Acrobat Reader DC. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270182.html