Adobe Patches Reader Flaws That Earned Hackers $150,000 at Chinese Contest
Adobe on Tuesday announced security updates for several products, including for Acrobat and Reader, in which the software giant patched a total of 26 vulnerabilities.
Of the 26 security holes fixed in the Windows and macOS versions of Acrobat and Reader, 16 have been assigned a “critical” severity rating (high severity based on their CVSS score), and a majority are memory-related issues that can be exploited for arbitrary code execution.
Four of these critical vulnerabilities — CVE-2021-44704 through CVE-2021-44707 — were disclosed by four different teams at China’s Tianfu Cup hacking contest.
Tianfu Cup organizers offered up to $60,000 for Reader exploits that achieved remote code execution with a sandbox escape. Researchers earned a total of $1.9 million at the event that took place in October.
A source told SecurityWeek that the team representing Chinese cybersecurity company Cyber Kunlun earned $60,000 for its exploit, while the other teams earned $30,000 each, as their exploits did not include a sandbox escape. The exploit worth $60,000 included a Windows kernel bug that Microsoft has yet to patch.
The remaining flaws patched in Acrobat and Reader can be exploited for privilege escalation, bypassing security features, causing a DoS condition, and obtaining data from memory.
Adobe says it’s not aware of any malicious attacks targeting these vulnerabilities.