CVE-2023-26396
📋 TL;DR
This vulnerability in Adobe Acrobat Reader allows attackers to create temporary files with incorrect permissions, potentially leading to privilege escalation. Users who open malicious PDF files are at risk. The vulnerability affects both the continuous track (DC) and classic track versions of Acrobat Reader.
💻 Affected Systems
- Adobe Acrobat Reader DC
- Adobe Acrobat Reader 2020
📦 What is this software?
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
An attacker could gain elevated privileges on the system, potentially installing malware, accessing sensitive data, or taking full control of the affected machine.
Likely Case
Local privilege escalation allowing attackers to execute code with higher privileges than the current user context, potentially leading to persistence or lateral movement.
If Mitigated
With proper controls like least privilege accounts and application whitelisting, impact is limited to the current user's permissions.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) and knowledge of local file system. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: DC: 23.001.20143 or later, 2020: 20.005.30473 or later
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb23-24.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version. 4. Restart computer after installation.
🔧 Temporary Workarounds
Disable JavaScript in Adobe Reader
allPrevents malicious JavaScript from executing in PDF files
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allOpen untrusted PDFs in Protected View mode
File > Open > Select 'Protected View' option
🧯 If You Can't Patch
- Restrict user permissions to least privilege required
- Implement application control to block execution of unauthorized programs
🔍 How to Verify
Check if Vulnerable:
Check Adobe Reader version in Help > About Adobe Acrobat Reader DCCheck Version:
Windows: "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /?, macOS: mdls -name kMDItemVersion /Applications/Adobe\ Acrobat\ Reader\ DC.appVerify Fix Applied:
Verify version is 23.001.20143 or later for DC, or 20.005.30473 or later for 2020 version📡 Detection & Monitoring
Log Indicators:
- Unexpected temporary file creation in system directories
- Adobe Reader process spawning child processes with elevated privileges
Network Indicators:
- None - this is a local file system vulnerability
SIEM Query:
EventID=4688 AND ParentProcessName="AcroRd32.exe" AND NewProcessName contains "cmd.exe" OR "powershell.exe"