CVE-2024-30303
📋 TL;DR
CVE-2024-30303 is a use-after-free vulnerability in Adobe Acrobat Reader that could allow arbitrary code execution when a user opens a malicious PDF file. This affects users of Acrobat Reader versions 20.005.30539, 23.008.20470 and earlier. Successful exploitation requires user interaction but could lead to complete system compromise.
💻 Affected Systems
- Adobe Acrobat Reader DC
- Adobe Acrobat Reader
📦 What is this software?
Acrobat by Adobe
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's computer, data theft, ransomware deployment, and lateral movement within the network.
Likely Case
Malware installation leading to data exfiltration, credential theft, or system disruption for individual users who open malicious PDFs.
If Mitigated
Limited impact with proper application sandboxing, endpoint protection, and user awareness preventing successful exploitation.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). No public exploit code available at disclosure time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.005.30554 or 23.008.20476
Vendor Advisory: https://helpx.adobe.com/security/products/acrobat/apsb24-07.html
Restart Required: Yes
Instructions:
1. Open Adobe Acrobat Reader. 2. Go to Help > Check for Updates. 3. Follow prompts to install available updates. 4. Restart the application when prompted.
🔧 Temporary Workarounds
Disable JavaScript in PDFs
allPrevents JavaScript execution in PDF files which may mitigate some exploitation vectors
Edit > Preferences > JavaScript > Uncheck 'Enable Acrobat JavaScript'
Use Protected View
allForce all PDFs to open in Protected View mode to limit potential damage
Edit > Preferences > Security (Enhanced) > Check 'Enable Protected View at startup'
🧯 If You Can't Patch
- Block PDF files from untrusted sources at email gateways and web proxies
- Implement application whitelisting to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check Help > About Adobe Acrobat Reader DC. If version is 20.005.30539 or earlier OR 23.008.20470 or earlier, system is vulnerable.Check Version:
On Windows: wmic product where name="Adobe Acrobat Reader DC" get versionVerify Fix Applied:
Verify version is 20.005.30554 or later for continuous track, OR 23.008.20476 or later for classic track.📡 Detection & Monitoring
Log Indicators:
- Application crashes in Acrobat Reader logs
- Unusual process creation from Acrobat.exe
Network Indicators:
- Outbound connections from Acrobat.exe to suspicious IPs
- DNS requests for known malicious domains
SIEM Query:
source="*acrobat*" AND (event_type="crash" OR process_name="cmd.exe" OR process_name="powershell.exe")