Adobe Releases Security Updates

Security updates address vulnerabilities in the products Adobe Acrobat and Reader, InDesign, InCopy, and Dimension

Threat ID:: CC-4241
Threat Severity:: Information only
Published:: 11 January 2023 2:34 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security updates address vulnerabilities in the products Adobe Acrobat and Reader, InDesign, InCopy, and Dimension

Affected platforms

The following platforms are known to be affected:

Adobe Acrobat and Reader for Windows & macOS

Acrobat DC - Versions: 22.003.20282 (Win), 22.003.20281 (Mac) and earlier
Acrobat Reader DC - Versions: 22.003.20282 (Win), 22.003.20281 (Mac) and earlier
Acrobat 2020 - Versions: 20.005.30418 and earlier
Acrobat Reader - Versions: 2020- 20.005.30418 and earlier

Versions: ID18.0 and earlier, ID17.4 and earlier

Adobe InDesign

Versions: ID18.0 and earlier, ID17.4 and earlier

Adobe InCopy

Versions: 3.4.6 and earlier

Adobe Dimension

Threat details

Introduction

Adobe has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA adds CVE-2023-21608 to Known Exploited Vulnerability Catalog

A proof-of-concept for the Adobe Acrobat Reader DC vulnerability, CVE-2023-21608, has been publicly released and exploitation is more likely. CVE-2023-21608 is use-after-free vulnerability that could lead to remote code execution (RCE).

CISA has added the vulnerability CVE-2023-21608 to the Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

Threat updates

Date	Update
13 Oct 2023	CISA adds CVE-2023-21608 to Known Exploited Vulnerability Catalog This article has been updated to reflect the status of exploitation.
6 Feb 2023	A Proof-of-concept for Adobe Acrobat Reader DC vulnerability released This article has been updated to reflect the change in exploitation status

Remediation advice

Organisations are encouraged to review the Adobe security pages for the following products and apply the following updates.

Remediation steps

Type	Step
Patch	APSB23-01 \| Security update available for Adobe Acrobat and Reader https://helpx.adobe.com/security/products/acrobat/apsb23-01.html
Patch	APSB23-07 \| Security update available for Adobe InDesign https://helpx.adobe.com/security/products/indesign/apsb23-07.html
Patch	APSB23-08 \| Security update available for Adobe InCopy https://helpx.adobe.com/security/products/incopy/apsb23-08.html
Patch	APSB23-10 \| Security update available for Adobe Dimension https://helpx.adobe.com/security/products/dimension/apsb23-10.html

Definitive source of threat updates

https://helpx.adobe.com/security.html

CVE Vulnerabilities

Status Published

CVE-2023-21608

Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Last edited: 13 October 2023 12:17 pm