Remote Code Execution Bug Patched in Adobe Acrobat Reader DC

Researchers at Cisco Talos are detailing a remote code execution vulnerability found in Adobe Acrobat Reader DC that can be triggered when a malicious file is opened or a victim accesses a rigged webpage.

According to Talos, the vulnerability (CVE-2018-4901) was disclosed on Dec. 7 and Adobe issued a patch on Feb. 13. Researchers are now sharing the details of its discovery. Affected are Adobe Acrobat Reader versions 2018.009.20050 and 2017.011.30070 and earlier.

The vulnerability allows attackers to hide malicious JavaScript code in a PDF file. This code can enable document ID to perform unauthorized operations to trigger a stack-based buffer overflow when opening a specially crafted PDF document.

“A specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader,” according to Talos.

Adobe rates the vulnerability with a “priority 2”, or as important, meaning that the bug presents an “elevated risk” and there are currently no known exploits in the wild.

“Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs,” according to Talos Group in a statement. “As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.”

The vulnerability, which was discovered by Aleksandar Nikolic of Talos, is one of several patched by Adobe in February. In its Adobe security advisory it lists 41 vulnerabilities in Acrobat and Reader, including 17 critical ones that “could potentially allow an attacker to take control of the affected system.”