Adobe zero-day flaw won't be fixed until March

All versions of Adobe Reader and Acrobat Reader are affected by the flaw, which is being actively exploited in the wild

A zero-day vulnerability in all versions of Adobe Reader and Acrobat will not have a fix until March, Adobe has warned.

A successful exploit of a buffer overflow flaw in the PDF reader code could cause the applications to crash, the software maker said in an advisory released on Thursday. That could then allow a remote attacker to take control of an affected system.

Affected products include Adobe Reader 9 and Acrobat 9, as well as earlier versions. The company said it expected updates to be available for Adobe Reader 9 and Acrobat 9 by 11 March, with patches for earlier versions being made available "soon after".

Shadowserver Foundation, a security research organisation, reported on Thursday that the hole in Adobe Reader was being actively exploited in the wild, and that independent security researcher Matt Richard had performed an analysis of the exploit code.

According to Richard, malicious PDFs in the wild are exploiting a vulnerability in a non-JavaScript function call. Both Richard and Shadowserver researcher Steven Adair recommended disabling Javascript in Adobe Acrobat and Reader products until a fix is made available.