Adobe InCopy is a popular application used for authoring and editing content. But in 2022, a critical security flaw (CVE-2022-28836) was discovered, making some versions dangerously vulnerable. This post explains how the vulnerability works, how it can be exploited by attackers, and what you need to know to protect yourself.

Adobe InCopy 16.4.1 and earlier

An *out-of-bounds write* is when a program writes more data than it should to a buffer in memory, potentially overwriting adjacent memory. This can lead to all kinds of bad stuff: crashing applications, leaking sensitive info, or, more dangerously, letting attackers run code of their choice.

Official Description

> *"Adobe InCopy versions 17.1 (and earlier) and 16.4.1 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."*

Reference:

- Adobe Security Bulletin (APSB22-22)
- CVE Details Page for CVE-2022-28836

How Does the Vulnerability Work?

Adobe InCopy manages its own custom file formats. The vulnerability is in how the program parses certain files. If a file is crafted in a malicious way, opening it with a vulnerable InCopy will make the software write data outside the safe area of memory—the “out-of-bounds write” condition.

They send this file to the target user (via email, cloud, USB, etc.).

- When the user opens the file in InCopy, the malicious code is executed with the permissions of that user.

There is no “automatic” exploit; user interaction (opening the malicious file) is needed, but attackers can trick you with a convincing email or document.

Simple Exploit Walkthrough

To understand the risk, let’s walk through how an attacker might exploit this bug in a simplified way.

Step 1: Crafting the Malicious File

InCopy file formats are mostly XML-ish, with binary data. An attacker analyzes how the InCopy parser handles certain tags or elements in the file. In this vulnerable version, there is a parsing bug where input length isn’t correctly checked.

Example (pseudocode)

# This is a simplified demonstration of an out-of-bounds write trigger
def parse_inc_copy_file(data):
    buffer = bytearray(128)
    size = data[]  # First byte says how much to copy
    for i in range(size):  
        buffer[i] = data[i+1]  # If size > 128, memory outside buffer is overwritten

If an attacker puts a high value in data[], like 200, the loop writes to buffer[199]—way past the 128 limit, which is an *out-of-bounds write*.

Step 2: Placing Malicious Code

Attackers can place carefully picked bytes after their payload, so when out-of-bound memory is written, it can overwrite function pointers or critical data. In the right scenario, this lets the attacker tell InCopy to “jump” to their shellcode.

Step 3: Dropping the Exploit

The attacker sends their malicious file as an email attachment named something like “ProjectDraft-IMPORTANT.icml”.

Step 4: User Opens the File

If the target double-clicks or imports the file in InCopy, the exploit runs. The attacker’s code is executed, running as the user.

Proof of Concept

Because Adobe hasn’t released technical Proof-of-Concept (PoC) details, and direct exploitation is illegal on production machines, here’s a *harmless* but illustrative “exploit” using Python to demonstrate the memory overflow principle:

# DO NOT USE AGAINST OTHERS - Demonstration Only
buffer = bytearray(10)
malicious_data = bytearray(range(20))  # 20 bytes, buffer only fits 10
for i in range(len(malicious_data)):
    try:
        buffer[i] = malicious_data[i]  # Will crash after buffer[9]
    except IndexError:
        print(f"Writing out-of-bounds at offset {i}")

In vulnerable C/C++ code, this kind of error could make the program crash or run arbitrary code.

Why Is This Dangerous?

If an attacker can *reliably* overwrite carefully chosen data, they can execute almost any code they want on your computer—install backdoors, steal files, capture keystrokes, or join your device to a botnet.

The exploit runs with the same permissions as the current user, so if you are an administrator, the damage could be even worse.

Update to InCopy version 17.2 or later.

- Get the latest InCopy

Use Antivirus and Endpoint Protection:

Good security software may help catch known exploits – but software updates are the *main defense*.

Adobe classified the severity as Critical.

- On Windows, crash dumps of exploited InCopy may show signs of “buffer overrun” or “segmentation fault”.

If you’re interested in binary analysis and the actual parser code, you may find practical fuzzing guides for InCopy file formats:

- Zero Day Initiative Advisory
- Mitre NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-28836

Conclusion: Patch Now, Be Cautious

CVE-2022-28836 shows just how dangerous a simple file can be. While user interaction is required, attackers are clever and convincing.

If you use, or manage users of, Adobe InCopy: Patch your software and educate your teams. The next time you get a document out of the blue, just think twice before opening it.

Stay safe and keep your software up-to-date.

*This post was created for educational and awareness purposes. For more information, always check original advisories and trusted security resources.*

Timeline

Published on: 09/11/2023 14:15:00 UTC
Last modified on: 09/11/2023 14:26:00 UTC