CVE-2014-0546 used in targeted attacks – Adobe Reader Update

Today Adobe released the security bulletin APSB14-19, crediting Kaspersky Lab for reporting CVE-2014-0546.

This out of band patch fixes a rather creative sandbox escape technique that we observed in a very limited number of targeted attacks.


At the moment, we are not providing any details on these attacks as the investigation is still ongoing. Although these attacks are very rare, just to stay on the safe side we recommend everyone to get the update from the Adobe site as soon as possible.

You can grab the Adobe Reader updates here.

CVE-2014-0546 used in targeted attacks – Adobe Reader Update

Your email address will not be published. Required fields are marked *


  1. Lars Groh

    I’m afraid I don’t quite get the “out of band” part – after all it’s Adobe Patch Tuesday.


  2. Costin Raiu

    This was indeed an out-of-band update. Updates for Reader and Acrobat (!) are shipped quarterly (the next regularly scheduled update is September). Adobe felt this was an important issue and decided to issue an out-of-band patch.


  3. Amy Smith

    I recently purchased a new laptop that didn’t come with Adobe Reader. The first time I downloaded it I got some kind of virus that was attached to my browser and changed all my browser (at the time Mozilla Firefox) settings, changed my search engine to something I’d never heard of. It took me a while to figure out what happened and figure out how to correct it but Kaspersky didn’t prevent it from happening or warn me that it had happened.

    I waited about 6 weeks before attempting to download Adobe Reader again, and with that download ended up with a Trojan virus. Kaspersky caught it immediately, cleaned it up, quarantined it, etc. an I deleted Adobe from my computer. I downloaded it again the next day and the very same thing happened. I’m pretty sure the most recent, patched, free version is what I downloaded from Adobe’s site. So whatever the problem is – it’s not fixed. if it’s known that this is happening perhaps Adobe should stop allowing people to download the free version until the problem is fixed. That’s an entire day of wasted productivity when you have to stop everything you’re doing and clean up that mess.

  4. Lars Groh

    Got it – thanks for clarification.

  5. David

    Can it be indicated whether this exploit is effective with JavaScript and all other active content features disabled?

    Does EMET 5.0 mitigate it?

  6. David

    Also, independent of EMET and disabled-JavaScript, does AcroRdr32 version 11 “protected mode” mitigate this attack? Though XP is no longer supported, does the lack of ASLR and often DEP on that platform allow exploitation of AcroRdr32 in protected-mode?

  7. manish sardiwal

    Thanks for clarification.
    If you can provide md5 for the same.

    Thank you.

  8. Pam

    what abou t Adobe Flash player and active x and Air – do they need updating to a certain level. I have been having problems with adware which is supposed to be the ‘legal’ type. Kaspersky is sorting it when I run a scan but yesterday I had 16 hits.


Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox