ID: IRCNE2011121334
Date: 2011-12-07
According to “ZDNet”, unknown hackers are exploiting a zero-day vulnerability in Adobe’s PDF Reader software to launch “limited, targeted attacks” against Windows users.
According to a warning from Adobe, the attacks have been observed in the wild against Windows users running Adobe Reader version 9.4.6. Details on the attacks and targets are not known at this time.
The company plans to ship an emergency patch for Adobe Reader and Acrobat 9.x for Windows “no later than the week of December 12, 2011.”
The vulnerability is also present in Adobe’s newer Reader X software but because there are anti-exploitation roadblocks in that version, the company is in no rush to release Reader X updates to thwart this wave of attacks.
The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted. “We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE),” according to Adobe security chief Brad Arkin.
Arkin says that focusing this release on just Adobe Reader and Acrobat 9.x for Windows also allows Adobe to ship the update much earlier.
Arkin also pleaded with Adobe users to upgrade to the latest and greatest versions:
I’d like to take this moment to encourage any remaining users still running Adobe Reader or Acrobat 9.x (or worse, older unsupported versions) to PLEASE upgrade to Adobe Reader or Acrobat X. We put a tremendous amount of work into securing Adobe Reader and Acrobat X, and, to date, there has not been a single piece of malware identified that is effective against a version X install.
Adobe rates this a “critical” issue. “This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe warned.
- 3