CVE-2021-45060
📋 TL;DR
This CVE describes an out-of-bounds read vulnerability in Adobe Acrobat Reader DC that could allow an attacker to execute arbitrary code in the context of the current user. The vulnerability affects multiple versions of Acrobat Reader DC across different release tracks. Exploitation requires user interaction through opening a malicious PDF file.
💻 Affected Systems
- Adobe Acrobat Reader DC
📦 What is this software?
Acrobat by Adobe
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution with the privileges of the user running Acrobat Reader, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Limited code execution within the Acrobat Reader process, potentially allowing file access, credential theft, or installation of additional malware.
If Mitigated
Application crash or denial of service if memory protections prevent successful exploitation.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) and bypassing memory protections like ASLR/DEP. No public exploit code was available at disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.007.20099 (or later), 20.004.30017 (or later), 17.011.30204 (or later) depending on track
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb22-01.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install available updates. 4. Restart the application when prompted.
🔧 Temporary Workarounds
Disable JavaScript in Acrobat Reader
allDisabling JavaScript reduces attack surface as many PDF exploits rely on JavaScript execution.
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allEnable Protected View for files from potentially unsafe locations to limit damage.
Edit > Preferences > Security (Enhanced) > Enable Protected View at startup
🧯 If You Can't Patch
- Restrict user permissions to limit impact of successful exploitation
- Implement application whitelisting to prevent execution of unauthorized code
🔍 How to Verify
Check if Vulnerable:
Check Help > About Adobe Acrobat Reader DC and compare version against affected rangesCheck Version:
On Windows: wmic product where name="Adobe Acrobat Reader DC" get versionVerify Fix Applied:
Verify version is updated to patched version and restart application📡 Detection & Monitoring
Log Indicators:
- Application crashes of Acrobat Reader with memory access violations
- Unusual process creation from Acrobat Reader
Network Indicators:
- Outbound connections from Acrobat Reader to suspicious domains
- DNS requests for known exploit infrastructure
SIEM Query:
EventID=1000 OR EventID=1001 AND Source="AcroRd32.exe" AND (ExceptionCode=0xc0000005 OR ExceptionCode=0xc0000409)