Zero-day Adobe Reader flaw exploited in ongoing attacks

Adobe has issued a security advisory notifying users about a newly discovered and still unpatched vulnerability in Adobe Reader and Adobe Acrobat which has been spotted being used in “limited, targeted attacks in the wild”.

The affected versions are Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh, but the reported attacks have apparently only been targeting Adobe Reader 9.x on Windows.

The attackers can exploit the U3D memory corruption flaw to crash the affected systems and to potentially gain access to them, and the fact that Adobe credited defense contractor Lockheed Martin’s CIRT and members of the Defense Security Information Exchange with reporting the issue has given rise to speculations that the attackers are after information hidden in their systems.

“We are in the process of finalizing a fix for the issue and expect to make available an update for Adobe Reader and Acrobat 9.x for Windows no later than the week of December 12, 2011,” says Adobe in the advisory. “Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012.”

Adobe Reader and Acrobat X and earlier versions for Macintosh and Adobe Reader 9.x for UNIX are also scheduled to be delivered on January 10, 2012.

Adobe will be focusing on patching Adobe Reader and Acrobat 9.x for Windows first and will issue an out-of-cycle security update because these are the versions currently being targeted.

“Focusing this release on just Adobe Reader and Acrobat 9.x for Windows also allows us to ship the update much earlier,” explained Adobe’s Director of Product Security and Privacy Brad Arkin. “We are conscious of the upcoming holidays and are working to get this patch out as soon as possible to allow time to deploy the update before users and staff begin time off. Ultimately the decision comes down to what we can do to best mitigate threats to our customers.”

He also urged Adobe Reader and Acrobat users to upgrade to the 10.x version. “We put a tremendous amount of work into securing Adobe Reader and Acrobat X, and, to date, there has not been a single piece of malware identified that is effective against a version X install. Help us help you by running the latest version of the software!” he said.

But, with all this going on, there is another danger that lurks. Sophos has recently spotted a spam campaign delivering fake Acrobat Reader and Adobe X Suite upgrade notifications:

Users are warned not to fall for it and open and run the attached ZIP file because it carries the Bredolab Trojan.

When updating software, it is always best to download the upgrade from the developer’s official site, and to visit that site by typing the correct URL directly into the address bar – never by following a link offered in unsolicited emails.

Don't miss