Adobe Reader users on Windows have been actively attacked by hackers abusing a vulnerability patched today (May 11), the software company said, pushing out “multiple critical and important vulnerabilities.”
The use-after-free 0day (CVE-2021-28550) was reported anonymously to Adobe, which said it has been “exploited in the wild in limited attacks”. It was one of 10 critical CVEs Adobe fixed this Patch Tuesday.
Jay Goodman, Manager of Product Marketing, Automox noted that the fixes came amid nine critical updates covering 25 critical CVEs, with the bugs spanning a wide range of Adobe’s portfolio, including Acrobat, Illustrator, and a large portion of the Creative Cloud Suite.
He said: “There are 10 critical vulnerabilities in Adobe Acrobat and Reader alone, including many that affect arbitrary code execution and privilege escalation concerns. Arbitrary Code Execution, or ACE, is a vulnerability that can lead to an attacker executing code on the target system with the existing privileges of the active user. Combined with the privilege escalation vulnerability disclosed in the same versions of Acrobat & Reader, attackers could easily exploit the out-of-bounds read/write vulnerabilities and provide privilege escalation to the executed code. This is a particularly nefarious combination of vulnerabilities in an extremely common piece of software. The vulnerabilities cover many versions dating back to 2017. As always, patching critical vulnerabilities within the ever-important first 72 hours is vital to maintaining a safe and secure infrastructure.”
Microsoft’s Patch Tuesday, May 2021
Microsoft meanwhile patched 55 vulnerabilities: four classified as critical, and 50 important. Redmond didn’t point to any active exploitation, but three of the fixes (in the Windows Scripting Engine, the HTTP Protocol Stack, and the OLE Automation engine) are critical-rated, remote code execution vulnerabilities, as Sophos noted, adding that there were 20 total remote code execution bugs “stomped out” in this release, affecting Office, Sharepoint, the Jet Red database engine, Hyper-V, and various media components.
SAP meanwhile has released 14 new and updated SAP Security Notes in its May 2021 patch release. These include fixes for bugs in Chromium and Chef Cookbooks that have found their way into SAP products, as well as a patch for the rules engine in SAP Commerce Cloud (CVSS 9.9: yikes)
With eyes on industrial security — apropos the ongoing outage at the Colonial Pipeline — Siemens also released numerous advisories on multiple vulnerabilities affecting its RUGGEDCOM, SIMATIC, SINEMA, SINAMICS and other products. These include six vulnerabilities with a CVSS score of 9.8. Among them, several critical CVSS 9.8 CVEs in its SCALANCE industrial Ethernet switches, modems/routers, security appliances, and wireless systems — owing to a series of buffer overflow vulnerabilities in partner Aruba’s PAPI protocol.
There have been 7,384 CVEs reported so far this year, according to NIST, including 1927 in April alone.