Security Advisory 2021-024

History:

• 12/05/2021 --- v1.0 -- Initial publication

Summary

Adobe has released 12 updates addressing 44 vulnerabilities in Experience Manager, InDesign, Illustrator, InCopy, Adobe Genuine Service, Acrobat and Reader, Magento, Creative Cloud Desktop, Media Encoder, After Effects, Medium, and Animate [1, 4]. The most critical of them -- CVE-2021-28550 -- may allow attackers to remotely execute code [3].

Technical Details

This advisory only describes the most critical vulnerability CVE-2021-28550, because Adobe has received a report that CVE-2021-28550 vulnerability has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.

In addition, Adobe has not provided any technical details about the attacks, but this vulnerability could be exploited by an attacker by tricking victims into opening specially crafted PDF with an affected version of Acrobat Reader [2, 5].

Priority and Severity Rating for CVE-2021-28550

• Priority - 1 (Highest): this update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours) [3]. 
• Severity - Critical (Highest): a vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware [3]. 

Affected Products

The following products could be affected by the vulnerability [2]:

Recommendations

It is recommended to update all affected software to the latest versions.

References

[1] https://helpx.adobe.com/security.html

[2] https://helpx.adobe.com/security/products/acrobat/apsb21-29.html

[3] https://helpx.adobe.com/security/severity-ratings.html

[4] https://www.zerodayinitiative.com/blog/2021/5/11/the-may-2021-security-update-review

[5] https://securityaffairs.co/wordpress/117792/security/windows-zero-day-4.html