CVE-2023-26369 Adobe acrobat update


Adobe's Patch Tuesday update for September 2023 comes with a patch for a critical actively exploited security flaw in Acrobat and Reader that could permit an attacker to execute malicious code on susceptible systems.

The vulnerability, tracked as CVE-2023-26369, is rated 7.8 for severity on the CVSS scoring system and impacts both Windows and macOS versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020.

Described as an out-of-bounds write, successful exploitation of the bug could lead to code execution by opening a specially crafted PDF document. Adobe did not disclose any additional details about the issue or the targeting involved.

"Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader," the company acknowledged in an advisor

CVE-2023-26369 affects the below versions -

  • Acrobat DC (23.003.20284 and earlier versions) - Fixed in 23.006.20320
  • Acrobat Reader DC (23.003.20284 and earlier versions) - Fixed in 23.006.20320
  • Acrobat 2020 (20.005.30514 for Windows and earlier versions, 20.005.30516 for macOS and earlier versions) - Fixed in 20.005.30524
  • Acrobat Reader 2020 (20.005.30514 for Windows and earlier versions, 20.005.30516 for macOS and earlier versions) - Fixed in 20.005.30524

Also patched by the software maker are two cross-site scripting flaws each in Adobe Connect (CVE-2023-29305 and CVE-2023-29306) and Adobe Experience Manager (CVE-2023-38214 and CVE-2023-38215) that could lead to arbitrary code execution.

What is an arbitrary code execution?
An arbitrary code execution (ACE) stems from a flaw in software or hardware. A hacker spots that problem, and then they can use it to execute commands on a target device. Remote code execution vulnerabilities happen when a hacker can launch malignant code across an entire network rather than on one lone device.
What is out of bound ?
Suppose you have an array with four elements. Then, an array indexing will be from 0 to 3, i.e., we can access elements from index 0 to 3. But, if we use index which is greater than 3, it will be called as an index out of bounds.

Impact of mitigation: Setting this registry key will disable automatic update for DDE field and OLE links. Users can still enable the update by right-clicking on the field and clicking “Update Field”.

Microsoft Publisher

A Word document using the DDE protocol that is imbedded within a Publisher document could be a possible attack vector. You can help prevent this attack vector by applying the Word registry key modification. See the following section for the Word registry key values.

Microsoft Word

See ADV170021 for an update for Microsoft Word that allows users to set the functionality of the DDE protocol based on their environment.

Refer to the following table for the registry key version string to set for each Office version:

Office VersionRegistry Key </version> string
Office 201014.0
Office 201315.0
Office 201616.0
  • For Office 2010 and later versions, to disable the DDE feature via the Registry Editor:
[HKEY_CURRENT_USER\Software\Microsoft\Office\</version><version>\Word\Options]
DontUpdateLinks(DWORD)=1
  • For Office 2007, to disable the DDE feature via the Registry Editor:
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Options\vpref]
fNoCalclinksOnopen_90_1(DWORD)=1

Impact of mitigation: Setting this registry key will disable automatic update for DDE field and OLE links. Users can still enable the update by right-clicking on the field and clicking “Update Field”.

Windows 10 Fall Creators Update (version 1709)

Users of the Windows 10 Fall Creators Update can leverage Windows Defender Exploit Guard to block DDE-based malware with Attack surface reduction (ASR) rules.

ASR is a component within Windows Defender Exploit Guard that provides enterprises with a set of built-in intelligence that can block the underlying behaviors used by malicious documents to execute attacks without hindering product operation. By blocking malicious behaviors independent of what the threat or exploit is, ASR can protect enterprises from never-before-seen zero-day attacks like these recently discovered vulnerabilities: CVE-2017-8759CVE-2017-11292, and CVE-2017-11826.

For Office apps, ASR can:

  • Block Office apps from creating executable content
  • Block Office apps from launching child process
  • Block Office apps from injecting into process
  • Block Win32 imports from macro code in Office
  • Block obfuscated macro code

Emerging exploits like DDEDownloader use the Dynamic Data Exchange (DDE) popup in Office documents to run a PowerShell downloader; however, in doing so, they launch a child process that the corresponding child process rule blocks.

Windows Defender Exploit Guard can be used with Windows Defender Advanced Threat Protection (ATP) to investigate and respond to enterprise-level security risks and issues. To learn more about Windows Defender Exploit Guard and Windows Defender ATP









Comments

Post a Comment

Popular posts from this blog

July 2024 Patch Tuesday Unleashes a Torrent of Updates

to a pair of cowboy fighter pilots (ahem, naval aviators) in  Top Gun . Less well known, but still  Alive And Kicking  (like the song released the same year by Simple Minds), the TIFF image file format also was introduced that year by Aldus Corporation, now known as Adobe. This CVE addresses a critical, easily exploitable vulnerability specific to this 38-year-old file format. A specially-crafted, malicious TIFF file, uploaded to a vulnerable server, could have triggered the server that receives the file to execute malicious code embedded in the TIFF file. Patch your servers to take them out of the danger zone. CVE-2024-38032 – Microsoft Xbox Remote Code Execution Vulnerability Users of the Xbox gaming console who also happen to have a wireless adapter, and connect wirelessly to their local network, should beware of strangers lurking on their network who can attack these devices. The (so far) hypothetical threat is that someone who is connected to your wireless network ca...
Read more

US court holds Israeli spyware liable for hacking Meta’s WhatsApp

Image
Gujarat India NRI News Entertainment Sports Lifestyle & Fashion Health Business World Science & Technology VIDEO GUJARATI E-PAPER SEARCH Gujarat Samachar World US court holds Israeli spyware liable for hacking Meta’s WhatsApp Updated: Dec 22nd, 2024 A US court on Friday held in favour of tech giant WhatsApp in a lawsuit accusing Israel’s NSO Group Technologies Ltd of exploiting a bug in the messaging app to install spy software that allowed unauthorised surveillance. US District Judge Phyllis Hamilton in Oakland, California, granted a motion by WhatsApp and found NSO liable for hacking and breach of contract. According to the court document, “WhatsApp filed this lawsuit, alleging that defendants sent malware, using WhatsApp’s system, to approximately 1,400 mobile phones and devices designed to infect those devices to surveil the users of those phones and devices.”  The targets included journalists, human rights activists and dissidents. Among the 1,400 mobile phones th...
Read more