Vulnerable Acrobat Reader

osquery

Vulnerable version of Adobe Acrobat Reader is installed

Author

Chainguard

Published

January 29, 2025

Description

ODK (osquery-defense-kit) is unique in that the queries are designed to be used as part of a production detection & response pipeline. The detection queries are formulated to return zero rows during normal expected behavior, so that they may be configured to generate alerts when rows are returned.

Query

-- Vulnerable version of Adobe Acrobat Reader is installed
--
-- References:
--   * https://helpx.adobe.com/security/products/acrobat/apsb23-34.html
--
-- tags: persistent state filesystem
-- platform: darwin
SELECT
  name,
  path,
  bundle_version,
  TRIM(REGEX_MATCH (bundle_version, "^(\\d+)\\.", 1)) AS major,
  TRIM(REGEX_MATCH (bundle_version, "\\.(\\d+)$", 1)) AS patch
FROM
  apps
WHERE
  name LIKE "%Acrobat%"
  AND (
    (
      major = "23"
      AND CAST(patch AS integer) < 20285
    )
    OR (
      major = "20"
      AND CAST(patch AS integer) < 30517
    )
  )

tags: SStagSS

Reference

https://github.com/chainguard-dev/osquery-defense-kit