A cybersecurity researcher is urging customers to improve Adobe Acrobat Reader after a repair was launched yesterday for a distant code execution zero-day with a public in-the-wild proof-of-concept exploit.
The flaw is tracked as CVE-2024-41869 and is a important use after free vulnerability that might result in distant code execution when opening a specifically crafted PDF doc.
A “use after free” bug is when a program tries to entry information in a reminiscence location that has already been freed or launched. This causes sudden habits, comparable to a program crashing or freezing.
Nevertheless, if a risk actor is ready to retailer malicious code in that reminiscence location, and this system subsequently accesses it, it might be used to execute malicious code on the focused machine.
The flaw has now been fastened within the newest  Acrobat Reader and Adobe Acrobat variations.
PoC exploit found in June
The Acrobat Reader zero-day was found in June by EXPMON, a sandbox-based platform created by cybersecurity researcher Haifei Li to detect superior exploits comparable to zero-days or hard-to-detect (unknown) exploits.
“I created EXPMON because I noticed that there were no sandbox-based detection and analysis systems specifically focusing on detecting threats from an exploit or vulnerability perspective,” Li instructed BleepingComputer.
“All the other systems do detection from a malware perspective. The exploit/vulnerability perspective is much needed if you want to go more advanced (or, early) detection.”
“For example, if no malware is dropped or executed due to certain conditions, or if the attack does not use any malware at all, those systems would miss such threats. Exploits operate quite differently from malware, so a different approach is needed to detect them.”
The zero-day was found after a lot of samples from a public supply had been submitted to EXPMON for evaluation. These samples included a malicious PDF containing a proof-of-concept exploit that induced a crash.
Whereas the PoC exploit is a piece in progress and incorporates no malicious payloads, it was confirmed to take advantage of a “user after free” bug, which might be used for distant code execution.Â
After Li disclosed the flaw to Adobe, a safety replace was launched in August. Nevertheless, the replace didn’t repair the flaw and will nonetheless be triggered after closing varied dialogs.
“We tested the (exactly the same) sample on the “patched” Adobe Reader version, it displayed additional dialogs, but if the user clicked/closed those dialogs, the app still crashed! Same UAF bug!,” tweeted the EXPMON X account.
Yesterday, Adobe launched a new safety replace that fixes the bug, now tracked as CVE-2024-41869.
Li will likely be releasing particulars on how the bug was detected on EXPMON’s weblog and additional technical data in an upcoming Test Level Analysis report.
