September 12, 2024 at 02:38PM
Adobe’s patch for a remote code execution bug in Acrobat downplays the severity of a vulnerability, failing to mention it is considered a zero-day with a proof-of-concept exploit. Despite a CVSS base score of 7.8, a warning highlights its critical nature. Adobe has confirmed the need for a secondary fix. Further details will be in an upcoming blog.
From the meeting notes, it is clear that there are important takeaways regarding Adobe’s patch for a remote code execution (RCE) bug in Acrobat:
1. The vulnerability, CVE-2024-41869, was reported by researcher Haifei Li and was initially assigned a CVSS base score of 7.8. Despite this, it was later acknowledged to carry a “critical” severity rating by Adobe, even though its CVSS score suggested a severity one level lower.
2. There is a proof-of-concept (PoC) exploit out in the wild for this vulnerability, though the sample PDF provided by Expmon does not contain a full exploit. However, once the sample is released, it is likely that the groundwork laid could be utilized for a real RCE attack.
3. Adobe acknowledged that a secondary fix is required to fully address the issue and they are actively working to prioritize the fix in an upcoming patch.
4. It’s noted that Adobe did not mention the existence of a PoC or that researchers deemed it a zero-day vulnerability. This lack of information has led researchers to reach out for additional details and answers from the vendor.
5. It is also mentioned that more details about the issue will be disseminated in an upcoming blog co-authored by Expmon and Check Point Research.
Based on these takeaways, it’s important to recognize the critical nature of the vulnerability, the potential risks associated with the PoC exploit, and the need for additional information to better inform the patching process.