CVE-2021-44703
📋 TL;DR
CVE-2021-44703 is a stack buffer overflow vulnerability in Adobe Acrobat Reader DC that allows arbitrary code execution when a user opens a malicious PDF file. Attackers can exploit this to run code with the victim's user privileges. Users of Adobe Acrobat Reader DC versions 21.007.20099 and earlier, 20.004.30017 and earlier, and 17.011.30204 and earlier are affected.
💻 Affected Systems
- Adobe Acrobat Reader DC
📦 What is this software?
Acrobat by Adobe
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary code execution with current user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Malicious code execution leading to credential theft, data exfiltration, or malware installation on the affected system.
If Mitigated
No impact if users don't open untrusted PDF files or if proper application whitelisting and sandboxing are implemented.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). No public exploit code available at time of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.007.20099 (Continuous Track), 20.004.30017 (Classic 2020 Track), 17.011.30204 (Classic 2017 Track) and later versions
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb22-01.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install available updates. 4. Restart the application.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allPrevents JavaScript-based exploitation vectors
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allOpens untrusted PDFs in sandboxed environment
File > Preferences > Security (Enhanced) > Enable Protected View for all files
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized PDF readers
- Use email filtering to block PDF attachments from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check Adobe Reader version in Help > About Adobe Acrobat Reader DCCheck Version:
On Windows: "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /? | findstr /i versionVerify Fix Applied:
Verify version is newer than affected versions: 21.007.20099, 20.004.30017, or 17.011.30204📡 Detection & Monitoring
Log Indicators:
- Adobe Reader crash logs with stack overflow indicators
- Unexpected process creation from AcroRd32.exe
Network Indicators:
- Outbound connections from Adobe Reader to suspicious IPs
- DNS requests for known malicious domains after PDF opening
SIEM Query:
Process Creation where Image contains "AcroRd32.exe" AND ParentImage contains "explorer.exe" AND CommandLine contains ".pdf"