Adobe Warns of Critical Zero-Day Flaw in Reader and Acrobat

Adobe is warning users about a critical vulnerability in its Reader and Acrobat applications that could lead to remote code execution. There are reports that attackers already are using the Reader bug in targeted attacks, and Adobe said it plans to have a patch ready by next week.

AdobeAdobe is warning users about a critical vulnerability in its Reader and Acrobat applications that could lead to remote code execution. There are reports that attackers already are using the Reader bug in targeted attacks, and Adobe said it plans to have a patch ready by next week.

Adobe security officials said that the vulnerability affects multiple versions of both Acrobat and Reader, but that Reader X is somewhat protected against attacks thanks to the presence of the sandbox, or Protected Mode, in that version.

“A critical vulnerability has been in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said.

The company said it will release a fix for Reader 9.x and Acrobat 9.x on Windows sometime next week, but that patches for Reader X and Acrobat X on Windows and Reader and Acrobat on Macintosh will be patched as part of the next quarterly patch update on Jan. 10.

“The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted. All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows. We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE),” the Adobe ASSET security team said in a blog post.

“Focusing this release on just Adobe Reader and Acrobat 9.x for Windows also allows us to ship the update much earlier. We are conscious of the upcoming holidays and are working to get this patch out as soon as possible to allow time to deploy the update before users and staff begin time off. Ultimately the decision comes down to what we can do to best mitigate threats to our customers.”

Suggested articles

Discussion

  • Anonymous on

    " Acrobat applications that coule lead to remote code execution."

    Come on Adobe at least make it harder for them. Getting real old. 

     

  • Anonymous on

    This Java / Acrobat / Flash malware merry-go-round is getting tiresome.

  • Anonymous on

    Does anyone have a realistic answer for why they're releasing a patch for 9.x on Windows in a week, but waiting until Jan. 10 to release a patch for Adobe Reader X?

  • gadi on

    What is worse is that adobe is making a profit out of it, adding a browser installation or an AV scanner in the download of each update.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.