Adobe Systems has released a security advisory, warning of a critical zero-day vulnerability in its Adobe Reader and Acrobat for Windows. In its security advisory, the company says the flaw is being actively exploited.
The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted.
Brad Arkin, Adobe
The vulnerability affects Adobe Reader X 10.1.1 and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X 10.1.1 and earlier versions for Windows and Macintosh.
The critical vulnerability, CVE-2011-2462, is due to corruption in the U3D memory, a technology that enables Reader and Acrobat to interact with 3D objects. An attacker could create a malicious PDF containing a 3D object and cause a crash and potentially take control over the affected system.
“There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows,” Adobe said in its Product Security Incident Response Team (PSIRT) blog post.
Product engineers are preparing a fix and plan to issue an out-of-cycle Abode security update for Adobe Reader and Acrobat for Windows no later than the week of December 12, said Brad Arkin, director of product security and privacy at Adobe. Adobe Reader X Protected Mode and Adobe Acrobat X Protected View won’t see an update until the next quarterly Adobe security update slated for January 10, 2012, Arkin wrote in a blog post shedding details about the flaw.
“The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted,” wrote Arkin. “We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE).”
This is the first zero-day vulnerability found in Adobe Reader and Acrobat code, not relating to Flash Player, since September 2010. Adobe Reader for Android and Adobe Flash Player are not affected by the issue.