Adobe confirms zero-day danger in Reader and Acrobat

Adobe

(PhysOrg.com) -- Adobe on Tuesday issued a critical security advisory for Adobe Reader and Acrobat. A vulnerability was detected and confirmed in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. Adobe said the flaw could cause a crash and allow an attacker to take control of the affected system.

The is being “actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on ,” according to the Adobe statement. The goal by attackers is to infect computers with malware. Since it can lead to the execution of arbitrary code, Adobe is categorizing the vulnerability as critical.

Adobe says the flaw affects multiple operating systems and various versions of its software.
• Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
• Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and
• Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
• Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and

The Reader for Android and Adobe Flash player are not affected.

Lockheed Martin and members of the Defense Security Information Exchange discovered and reported the flaw to Adobe. Defense contractors are being targeted, suggest reports.

Adobe says it is working on the fix and plans to issue an update for Adobe Reader and Acrobat 9.x for Windows no later than the week of December 12. .Adobe will “address the issue” in .Adobe Reader X and Acrobat X for Windows with the next update for Adobe Reader and Acrobat, and earlier versions of the Mac, scheduled for January 10.

An update to address 9.x for UNIX is also planned for January 10.

Tracking the latest information on the Adobe incident can be done by accessing the blog at blogs.adobe.com/psirt.

Meanwhile, security vendors Sophos reported on Tuesday that more mischief is being added in the form of fake fixes that are pretending to be sent from Adobe. Sophos is warning the public to beware of the phony upgrade notifications. The emails carry a ZIP attachment which has a version of the Zeus Trojan designed to steal banking information. Samples seen so far by Sophos all carry malware in the file "Adobe Systems Software Critical Update Dec 2011.exe" contained within the ZIP.

More information: nakedsecurity.sophos.com/2011/ … on-malware-attached/

© 2011 PhysOrg.com

Citation: Adobe confirms zero-day danger in Reader and Acrobat (2011, December 7) retrieved 29 March 2024 from https://phys.org/news/2011-12-adobe-zero-day-danger-reader-acrobat.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

Adobe cutting 680 jobs

0 shares

Feedback to editors