CVE-2021-45064
📋 TL;DR
A use-after-free vulnerability in Adobe Acrobat Reader DC allows arbitrary code execution when a user opens a malicious PDF file. This affects multiple versions across different release tracks. Successful exploitation requires user interaction but could lead to full system compromise.
💻 Affected Systems
- Adobe Acrobat Reader DC
📦 What is this software?
Acrobat by Adobe
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Malicious PDF file executes code on victim's machine, allowing data exfiltration, credential theft, or installation of persistent malware.
If Mitigated
With proper controls, malicious files are blocked or sandboxed, limiting impact to isolated environment with no system access.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). No public exploit code available at time of advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.007.20099 (update to later version), 20.004.30017 (update to later version), 17.011.30204 (update to later version)
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb22-01.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader DC. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version. 4. Restart computer after installation.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allPrevents execution of JavaScript in PDF files which may mitigate some exploitation vectors
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allForce all PDFs to open in Protected View mode to limit potential damage
Edit > Preferences > Security (Enhanced) > Check 'Enable Protected View at startup'
🧯 If You Can't Patch
- Block PDF files from untrusted sources at email gateway and web proxy
- Implement application whitelisting to prevent unauthorized executables from running
🔍 How to Verify
Check if Vulnerable:
Check Adobe Reader version in Help > About Adobe Acrobat Reader DCCheck Version:
Windows: wmic product where name="Adobe Acrobat Reader DC" get version
macOS: /Applications/Adobe\ Acrobat\ Reader\ DC.app/Contents/Info.plist | grep -A1 CFBundleShortVersionStringVerify Fix Applied:
Verify version is newer than affected versions: 21.007.20099, 20.004.30017, or 17.011.30204📡 Detection & Monitoring
Log Indicators:
- Adobe Reader crash logs with memory access violations
- Unexpected child processes spawned from Adobe Reader
Network Indicators:
- Outbound connections from Adobe Reader process to unknown IPs
- DNS requests for suspicious domains after PDF opening
SIEM Query:
process_name:"AcroRd32.exe" AND (event_id:1000 OR event_id:1001) AND exception_code:0xc0000005