Adobe issued a critical update Tuesday plugging a serious zero-day vulnerability in Acrobat Reader that was being actively exploited by attackers.
Hackers have been spreading malicious PDF files in targeted attacks in an attempt to exploit a processing error in Adobe Acrobat Reader 8 and 9, which results in a buffer overflow. If successfully exploited, the flaw could give attackers access to critical system files.
Related Adobe news:
Sourcefire issues Adobe zero-day patch to block attacks: "Home brew patch," blocks attempts by hackers to exploit an unpatched buffer overflow vulnerability in Adobe Reader 9.
Attackers target new Adobe zero-day flaw: Attackers are actively targeting a zero-day flaw in Adobe Acrobat Reader software, according to a warning from Symantec.
Adobe updates Flash Player to fix clickjacking, buffer overflow flaws: Flaws in Adobe Flash Player could be used by an attacker to gain access to system files and take control of a computer. Adobe recommends updating to the latest version.
"This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system," Adobe said in its security bulletin.
Adobe Reader 9.1 and Acrobat 9.1 update corrects the JBIG2 stream array indexing error. The image compression format is used to convert binary images. Adobe said it expects to issue updates for Adobe Reader 7 and 8, and Acrobat 7 and 8 by March 18. An update to Adobe Reader 9.1 for Unix will be released by March 25.
Symantec said researchers there were given a sample of the threat Feb. 12. Adobe said it had been testing a patch prior to Tuesday's release. It has come under increased pressured by some security researchers for its handling of the zero-day and taking too long to issue an update.
"They just don't appear to have taken it serious enough," said Andrew Storms, director of security operations at security and compliance auditing vendor nCircle Network Security Inc. "They need to work better at communicating to their customers."
Wolfgang Kandek, chief technology officer of patch management vendor Qualys Inc. said Adobe should have issued an update much faster to accommodate its large user base, despite ongoing attacks being limited and targeted.
"… it makes me wonder whether Adobe has a setup to react to security flaws in an out-of-band manner, rather than through normal product cycles vulnerabilities of such magnitude need to be handled by a dedicated team that has the resources to quick develop and deploy a fix," Kandek said in a prepared statement.