On February 2021 Patch Tuesday Adobe released patches to correct 50 vulnerabilities across its range of products, including 34 critical severity flaws, one of which is being actively exploited in the wild in limited attacks on Windows users.
The actively exploited vulnerability is a heap-based buffer overflow vulnerability in Adobe Reader, tracked as CVE-2021-21017. If the buffer overflow is triggered, an attacker could remotely execute code on a vulnerable computer. The vulnerability could be exploited by convincing the user to visit a malicious website.
In total, 23 CVEs have been addressed in Adobe Reader and Acrobat (17 critical; 6 Important); 18 in Magneto (7 critical; 10 important; 1 moderate); 5 in Photoshop (All critical); 2 in Adobe Illustrator (Both critical); and one in Animate (critical) and Dreamweaver (important).
The majority of the critical flaws allow the remote execution of arbitrary code can could be exploited to take control of a vulnerable computer. The flaws in Acrobat and Reader have been assigned priority 1, meaning they are either being targeted or have a higher risk of being targeted, so these products should be updated as soon as possible.
- Acrobat Reader DC versions 2020.013.20074 and earlier for Windows and macOS
- Acrobat Reader 2020 versions 2020.001.30018 and earlier for Windows and macOS
- Acrobat Reader 2017 versions 2017.011.30188 and earlier for Windows and macOS
- Acrobat DC / Acrobat Reader DC version 2021.001.20135
- Acrobat 2020 / Acrobat Reader 2020 version 2020.001.30020
- Acrobat 2017 / Acrobat Reader 2017 version 2017.011.30190
The flaws in Magneto have been assisted priority level 2, as they resolve vulnerabilities in a product that has been historically targeted by hackers.
- Magento Commerce and Magento open source, 2.4.1 and earlier
- Magneto Commerce versions 2.4.2, 2.4.1-p1, and 2.3.6-p1
- Magneto Open Source versions 2.4.2, 2.4.1-p1, and 2.3.6-p1
The remaining flaws have been assigned priority 3. While some of these vulnerabilities are critical, they are in products that have not historically been a target for hackers, so should be addressed at users’ discretion.
- Adobe Photoshop 2020 version 21.2.4 and earlier
- Adobe Photoshop 2021 version 22.1.1 and earlier
- Adobe Photoshop 2020 version 21.2.5
- Adobe Photoshop 2021 version 22.2
- Adobe Illustrator 2021 version 25.1 and earlier
- Adobe Illustrator 2021 version 25.2
- Adobe Animate version 21.0.2 and earlier
- Adobe Animate version 21.0.3
- Adobe Dreamweaver versions 20.2 and 21.0
- Adobe Dreamweaver versions 20.2.1 and 21.1