Adobe plans to release a patch on Friday for the zero-day vulnerability in its Reader and Acrobat applications on Windows that is currently being used in some targeted attacks. The patches for the applications running on other platforms will be released next month during the next scheduled patch update.
“As stated before, because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012. We are planning to address this issue in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update scheduled for January 10, 2012. An update to address this issue in Adobe Reader 9.x for UNIX is planned for January 10, 2012,” Adobe said in a blog post.
The vulnerability first surfaced earlier this month and in its initial advisory Adobe credited Lockheed Martin for reporting the bug. There also have been reports that the vulnerability has been used in targeted attacks against other companies, and one of the files used in an attack was an employee survey for ManTech, another defense contractor.