CVE-2021-28550

Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Recent assessments:

gwillcox-r7 at June 04, 2021 5:25pm UTC reported:

No real details on this at the moment but according to Adobe’s website at <https://helpx.adobe.com/security/products/acrobat/apsb21-29.html&gt; this is a Use-After-Free bug in Adobe Acrobat that leads to remote code execution when opening a PDF. It was anonymously reported and has been reported to be exploited in the wild in limited targeted attacks against Windows users.

Given the available information though I would guess that to trigger this vulnerability a user would have to open a PDF containing malicious code in Adobe Acrobat and then the malicious PDF would run some JavaScript or similar to put memory into a stable state such that it would be able to trigger the UAF and gain control of Adobe Acrobat without crashing it.

Given Adobe Acrobat is popular though the attacker value for this bug is pretty high, though I did deduct a point if only cause an attacker would still need to convince a user to open the PDF. I also set the exploitability at medium as UAF bugs are not that easy to exploit, however web browsers and PDF readers often provide JavaScript engines that allow attackers to more easily control the state of memory, which can greatly ease the process of exploit development. However without knowing more info its difficult to gauge the level of exploitation difficulty for this specific exploit.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 3