News

Adobe security update being issued for zero-day in Reader, Acrobat for Windows

Hillary O’Rourke, Contributor

Adobe Systems has released a security advisory, warning of a critical zero-day vulnerability in its Adobe Reader and Acrobat for Windows. In its security advisory, the company says the

    Requires Free Membership to View

flaw is being actively exploited.

The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted.

Brad Arkin, Adobe

The vulnerability affects Adobe Reader X 10.1.1 and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X 10.1.1 and earlier versions for Windows and Macintosh.

The critical vulnerability, CVE-2011-2462, is due to corruption in the U3D memory, a technology that enables Reader and Acrobat to interact with 3D objects. An attacker could create a malicious PDF containing a 3D object and cause a crash and potentially take control over the affected system.

“There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows,” Adobe said in its Product Security Incident Response Team (PSIRT) blog post.

Product engineers are preparing a fix and plan to issue an out-of-cycle Abode security update for Adobe Reader and Acrobat for Windows no later than the week of December 12, said Brad Arkin, director of product security and privacy at Adobe. Adobe Reader X Protected Mode and Adobe Acrobat X Protected View won’t see an update until the next quarterly Adobe security update slated for January 10, 2012, Arkin wrote in a blog post shedding details about the flaw.

 “The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted,” wrote Arkin. “We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE).”

This is the first zero-day vulnerability found in Adobe Reader and Acrobat code, not relating to Flash Player, since September 2010. Adobe Reader for Android and Adobe Flash Player are not affected by the issue.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: