Adobe recently released a patch to fix a remote code execution (RCE) bug in Acrobat that was originally reported by researcher Haifei Li. Despite the severity of the vulnerability, the patch did not mention that the bug was considered a zero-day or that a proof-of-concept exploit existed. This lack of information could lead sysadmins to underestimate the importance of prioritizing the patch.
The vulnerability, assigned a CVSS base score of 7.8 out of 10, was not categorized as critical by Adobe, even though there is a PoC exploit in the wild. This discrepancy in severity ratings could impact how quickly organizations address the issue. Although Adobe classified the use-after-free vulnerability as “critical,” the CVSS score suggested a lower severity level.
Expmon, the zero-day and exploit-detection platform founded by Haifei Li, expressed surprise that a patch was not released sooner, considering the vulnerability was reported in June. Adobe acknowledged the need for a secondary fix to fully address the issue and assured that it was being prioritized for an upcoming patch release.
Expmon plans to share the sample PDF containing the PoC exploit soon, which will emphasize the urgency of implementing the patch. While the current sample does not contain a malicious payload, it sets the stage for a potential RCE attack. Once the exploit blueprint is made public, attackers could leverage it to target vulnerable systems.
Despite the impending threat, Adobe did not disclose the existence of the PoC exploit or the zero-day status of the vulnerability. This lack of transparency raises questions about the vendor’s communication regarding security issues. Additional information, such as the presence of known exploits, can help defenders make informed decisions about patching priorities.
To provide more insights into the issue, Expmon and Check Point Research will co-author a blog post detailing the vulnerability and its implications. This collaborative effort aims to educate the cybersecurity community about the risks associated with the Acrobat vulnerability and the importance of timely patching.
In conclusion, the recent Adobe patch for the Acrobat vulnerability highlights the critical need for proactive security measures and transparent communication between vendors and researchers. As cyber threats continue to evolve, it is essential for organizations to stay vigilant and prioritize the protection of their systems against potential exploits.