Unknown hackers are exploiting a zero-day vulnerability in Adobe’s PDF Reader software to launch “limited, targeted attacks” against high-value Windows users.
According to a warning from Adobe, the attacks have been observed in the wild against Windows users running Adobe Reader version 9.4.6. Details on the attacks and targets are not known at this time.
The company plans to ship an emergency patch for Adobe Reader and Acrobat 9.x for Windows “no later than the week of December 12, 2011.”
The vulnerability is also present in Adobe’s newer Reader X software but because there are anti-exploitation roadblocks in that version, the company is in no rush to release Reader X updates to thwart this wave of attacks.
“The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted. All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows. We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE),” according to Adobe security chief Brad Arkin.
Arkin says that focusing this release on just Adobe Reader and Acrobat 9.x for Windows also allows Adobe to ship the update much earlier. “We are conscious of the upcoming holidays and are working to get this patch out as soon as possible to allow time to deploy the update before users and staff begin time off. Ultimately the decision comes down to what we can do to best mitigate threats to our customers,” Arkin added.
Arkin also pleaded with Adobe users to upgrade to the latest and greatest versions:
I’d like to take this moment to encourage any remaining users still running Adobe Reader or Acrobat 9.x (or worse, older unsupported versions) to PLEASE upgrade to Adobe Reader or Acrobat X. We put a tremendous amount of work into securing Adobe Reader and Acrobat X, and, to date, there has not been a single piece of malware identified that is effective against a version X install. Help us help you by running the latest version of the software!
Adobe rates this a “critical” issue that currently haunts Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh.
“This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe warned.
