Adobe is warning users about a critical vulnerability in its Reader and Acrobat applications that could lead to remote code execution. There are reports that attackers already are using the Reader bug in targeted attacks, and Adobe said it plans to have a patch ready by next week.
Adobe security officials said that the vulnerability affects multiple versions of both Acrobat and Reader, but that Reader X is somewhat protected against attacks thanks to the presence of the sandbox, or Protected Mode, in that version.
“A critical vulnerability has been in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said.
The company said it will release a fix for Reader 9.x and Acrobat 9.x on Windows sometime next week, but that patches for Reader X and Acrobat X on Windows and Reader and Acrobat on Macintosh will be patched as part of the next quarterly patch update on Jan. 10.
“The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted. All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows. We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE),” the Adobe ASSET security team said in a blog post.
“Focusing this release on just Adobe Reader and Acrobat 9.x for Windows also allows us to ship the update much earlier. We are conscious of the upcoming holidays and are working to get this patch out as soon as possible to allow time to deploy the update before users and staff begin time off. Ultimately the decision comes down to what we can do to best mitigate threats to our customers.”