Adobe today released an out-of-band patch for a zero-day vulnerability in Adobe Reader and Acrobat that has been leveraged in targeted attacks.
Kaspersky Lab Global Research and Analysis Team director Costin Raiu is credited with reporting the vulnerability. Details were not announced, but Raiu said on the Securelist blog that exploits have been observed in a limited number of targeted attacks. Adobe said attackers have been targeting Windows machines running the Reader and Acrobat software.
“At the moment, we are not providing any details on these attacks as the investigation is still ongoing,” Raiu said. “Although these attacks are very rare, just to stay on the safe side we recommend everyone to get the update from the Adobe site as soon as possible.”
Adobe said today’s update patches a vulnerability (CVE-2014-0546) that when exploited allows an attacker to circumvent sandbox protections. Reader and Acrobat for Apple OS X are not vulnerable, Adobe said. Raiu called it “a rather creative sandbox escape.”
Reader and Acrobat versions 11.0.07 and earlier for Windows are affected, Adobe said.
The Reader update is one of two released today by Adobe. The other patches seven vulnerabilities in Flash Player, most of which are rated critical by Adobe.
None of the Flash bugs are being exploited in the wild, Adobe said. Five of the updates patch memory-related vulnerabilities that can be used to bypass memory address randomization, Adobe said. The two remaining patches address a security bypass vulnerability and a use-after-free vulnerability that could allow a hacker to remotely execute code on the underlying system.
Affected versions are:
- Adobe Flash Player 220.127.116.11 and earlier versions for Windows and Macintosh
- Adobe Flash Player 18.104.22.1684 and earlier versions for Linux
- Adobe AIR 22.214.171.124 and earlier versions for Windows and Macintosh
- Adobe AIR 126.96.36.199 SDK and earlier versions
- Adobe AIR 188.8.131.52 SDK & Compiler and earlier versions
- Adobe AIR 184.108.40.206 and earlier versions for Android
All of the Flash bugs are rated critical and can lead to code execution.