A cybersecurity researcher is urging users to update Adobe Acrobat Reader following the release of a critical fix for a zero-day vulnerability.
This flaw tracked as CVE-2024-41869, is classified as a “use after free” vulnerability, which can lead to remote code execution when a specially crafted PDF is opened.
The issue was first discovered in June and has now been addressed in the latest updates of Acrobat Reader and Adobe Acrobat.
A “use after free” vulnerability occurs when a program tries to access memory that has already been released, causing crashes or freezing. More dangerously, if a hacker manages to insert malicious code into that memory space, the program could execute the code, allowing the attacker to gain control over the targeted system. This is the case with the Acrobat Reader zero-day.
The flaw was first identified by Haifei Li, a cybersecurity researcher who created EXPMON, a sandbox-based platform designed to detect advanced threats like zero-day vulnerabilities. EXPMON’s approach focuses on identifying exploits from a vulnerability perspective rather than relying solely on malware detection. This method allows for earlier detection of potential attacks, especially in scenarios where no malware is dropped or executed.
Li discovered the zero-day when analyzing samples from a public source. One of the samples, a PDF, contained a proof-of-concept (PoC) exploit that caused Acrobat Reader to crash. While the PoC was a work in progress and did not contain a malicious payload, it demonstrated how the “use after free” bug could be exploited for remote code execution.
After the vulnerability was reported to Adobe, a security update was released in August. However, the update failed to fully address the issue. Li and his team tested the patched version and found that the bug could still be triggered when users closed specific dialog boxes. This led to further crashes, indicating that the vulnerability was still present.
Yesterday, Adobe released a new security update that finally fixes the vulnerability. The issue is now tracked as CVE-2024-41869, and users are urged to update their software as soon as possible to protect themselves from potential attacks. Haifei Li plans to share further details on how the vulnerability was detected through EXPMON’s blog, with additional technical insights coming in an upcoming Check Point Research report.
