December 6, 2011, 2:30PM
Adobe Warns of Critical Zero-Day Flaw in Reader and Acrobat
5 Comments
Adobe is warning users about a critical vulnerability in its Reader and Acrobat applications that could lead to remote code execution. There are reports that attackers already are using the Reader bug in targeted attacks, and Adobe said it plans to have a patch ready by next week.
Adobe security officials said that the vulnerability affects multiple versions of both Acrobat and Reader, but that Reader X is somewhat protected against attacks thanks to the presence of the sandbox, or Protected Mode, in that version.
"A critical vulnerability has been in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said.
Editor's Pick
The company said it will release a fix for Reader 9.x and Acrobat 9.x on Windows sometime next week, but that patches for Reader X and Acrobat X on Windows and Reader and Acrobat on Macintosh will be patched as part of the next quarterly patch update on Jan. 10.
"The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted. All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows. We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE)," the Adobe ASSET security team said in a blog post.
"Focusing this release on just Adobe Reader and Acrobat 9.x for Windows also allows us to ship the update much earlier. We are conscious of the upcoming holidays and are working to get this patch out as soon as possible to allow time to deploy the update before users and staff begin time off. Ultimately the decision comes down to what we can do to best mitigate threats to our customers."
Commenting on this Article is closed.
Today's Most Popular
- Dear Jailbreaker, Apple Wants to Have a Word with You
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
- White House Security Czar Howard Schmidt Retiring
- OPINION: Are Anonymous Members Forged in the Crucible of IT Compliance?
- New P2P Zeus Variant Targets Popular Sites with Bogus Offers
Most Commented Stories
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
22%
Only connect to password-protected, secure connections
38%
Only use websites with HTTPS
27%
I don’t pay attention to how I access the internet while traveling
13%
Total votes: 60
Follow Threatpost
 |  |  |  |
| Tumblr |
Comments
" Acrobat applications that coule lead to remote code execution."
Come on Adobe at least make it harder for them. Getting real old.
This Java / Acrobat / Flash malware merry-go-round is getting tiresome.
Does anyone have a realistic answer for why they're releasing a patch for 9.x on Windows in a week, but waiting until Jan. 10 to release a patch for Adobe Reader X?
What is worse is that adobe is making a profit out of it, adding a browser installation or an AV scanner in the download of each update.