Adobe is warning customers of a critical zero-day bug that is active in the wild affecting its Adobe Acrobat PDF reader software.
The bug, tracked as CVE-2021-28550, affects eight versions of Adobe software (full list below) and exploits vulnerabilities in the software including arbitrary code execution, memory leaks and exposure of private information.
10 critical and four important vulnerabilities were addressed in Adobe Reader and Acrobat in addition to five critical flaws in Adobe Illustrator that were resolved by Tuesday’s security patch release. The technical specific details of the bug were not available to Adobe software users until after the 43 patch fixes were downloaded which meant that before manual user installation, the zero-day bug allowed for hackers to execute virtually any command on targeted systems.
Users can download these new security fixes by initiating the auto update feature of Acrobat and Reader by going to Help –> Check for Updates and installing via the Adobe Download Centre. This will remove the user intervention necessity to manually install security updates and allows Adobe products to update automatically upon detection of patch releases.
List of affected Adobe software versions:
– Acrobat DC, 2021.001.20150 and earlier versions - Windows
– Acrobat Reader DC, 2021.001.20150 and earlier versions – Windows
– Acrobat DC, 2021.001.20149 and earlier versions - macOS
– Acrobat Reader DC, 2021.001.20149 and earlier versions – macOS
– Acrobat 2020, 2020.001.30020 and earlier versions – Windows & macOS
– Acrobat Reader 2020, 2020.001.30020 and earlier versions – Windows & macOS
– Acrobat 2017, 2017.011.30194 and earlier versions – Windows & macOS
– Acrobat Reader 2017, 2017.011.30194 and earlier versions – Windows & macOS