Adobe security update being issued for zero-day in Reader, Acrobat for Windows

Adobe has issued a warning about a critical zero-day vulnerability in Adobe Reader and Acrobat for Windows. An emergency security update is scheduled.

Adobe Systems has released a security advisory, warning of a critical zero-day vulnerability in its Adobe Reader and Acrobat for Windows. In its security advisory, the company says the flaw is being actively exploited.

The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted.

Brad Arkin, Adobe

The vulnerability affects Adobe Reader X 10.1.1 and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X 10.1.1 and earlier versions for Windows and Macintosh.

The critical vulnerability, CVE-2011-2462, is due to corruption in the U3D memory, a technology that enables Reader and Acrobat to interact with 3D objects. An attacker could create a malicious PDF containing a 3D object and cause a crash and potentially take control over the affected system.

“There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows,” Adobe said in its Product Security Incident Response Team (PSIRT) blog post.

Product engineers are preparing a fix and plan to issue an out-of-cycle Abode security update for Adobe Reader and Acrobat for Windows no later than the week of December 12, said Brad Arkin, director of product security and privacy at Adobe. Adobe Reader X Protected Mode and Adobe Acrobat X Protected View won’t see an update until the next quarterly Adobe security update slated for January 10, 2012, Arkin wrote in a blog post shedding details about the flaw.

 “The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted,” wrote Arkin. “We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE).”

This is the first zero-day vulnerability found in Adobe Reader and Acrobat code, not relating to Flash Player, since September 2010. Adobe Reader for Android and Adobe Flash Player are not affected by the issue.

Dig deeper on Securing Productivity Applications

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close