Summary: Adobe has released Patch Tuesday updates to address multiple code execution vulnerabilities in its products, including Adobe Acrobat and Reader software.
Threat Actor: None identified.
Victim: Adobe | Adobe
Key Point :
- Adobe has fixed 35 security vulnerabilities in its Patch Tuesday updates, with 12 of these issues impacting Adobe Acrobat and Reader software.
- The vulnerabilities include Use After Free, Improper Input Validation, and Improper Access Control, which could lead to arbitrary code execution.
- The severity of the vulnerabilities is rated as critical, with a CVSS base score of 7.8.
- The CVE numbers associated with the vulnerabilities are CVE-2024-30284, CVE-2024-30310, CVE-2024-34094, CVE-2024-34095, and more.
Adobe addressed multiple code execution vulnerabilities in its products, including Adobe Acrobat and Reader software
The software giant released its Patch Tuesday updates to fix 35 security vulnerabilities 12 of these issues impact Adobe Acrobat and Reader software.
The arbitrary code execution issues fixed by the company includes Use After Free, Improper Input Validation, and Improper Access Control.
Vulnerability Category | Vulnerability Impact | Severity | CVSS base score | CVSS vector | CVE Number |
Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-30284 |
Out-of-bounds Write (CWE-787) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-30310 |
Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34094 |
Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34095 |
Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34096 |
Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34097 |
Improper Input Validation (CWE-20) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34098 |
Improper Access Control (CWE-284) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34099 |
Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34100 |
Out-of-bounds Read (CWE-125) | Memory leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2024-30311 |
Out-of-bounds Read (CWE-125) | Memory leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2024-30312 |
Out-of-bounds Read (CWE-125) | Memory leak | Moderate | 3.3 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | CVE-2024-34101 |
The vulnerabilities were reported by the following experts and research team:
- Mark Vincent Yason (markyason.github.io) working with Trend Micro Zero Day Initiative – CVE-2024-30284, CVE-2024-34094, CVE-2024-34095, CVE-2024-34096, CVE-2024-34097
- Cisco Talos (ciscotalos) – CVE-2024-30311, CVE-2024-30312
- Bobby Gould of Trend Micro Zero Day Initiative – CVE-2024-30310, CVE-2024-34101
- AbdulAziz Hariri (@abdhariri) of Haboob SA (@HaboobSa) – CVE-2024-34098, CVE-2024-34099
- Suyue Guo and Wei You from Renmin University of China (ruc_se_sec) – CVE-2024-34100
Adobe PSIRT is not aware of attacks in the wild exploiting the above vulnerabilities.
The vulnerabilities impact versions: 24.002.20736 and earlier, and 20.005.30574 and earlier for Windows and macOS operating systems.
Adobe also fixed issues in Adobe Illustrator (APSB24-30), Adobe Aero (APSB24-33), Adobe Dreamweaver (APSB24-39), Adobe Substance 3D Painter (APSB24-31), Adobe Substance 3D Designer (APSB24-35), Adobe Animate (APSB24-36), Adobe FrameMaker (APSB24-37).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Acrobat)
Source: https://securityaffairs.com/163194/security/adobe-flaws-acrobat-reader.html
“An interesting youtube video that may be related to the article above”