Adobe issues final Reader and Acrobat patches to kill zero-day attacks

Adobe has the released the final patches for Reader and Acrobat to counter an unexpected flaw currently in use by attackers.

The patch covers Windows Adobe Reader X (10.0.1) and earlier versions, Adobe Reader X (10.0.2) and earlier for Macintosh, and Adobe Acrobat X (10.0.2) for both platforms. The company advised users to update as soon as possible.

Adobe reported the zero-day flaw earlier in the month, and said it was primarily affecting Flash files, but that Reader and Acrobat could be at risk owing to some root structures in the software that are shared with Flash. The Flash component has already been patched.

"The vulnerability is exploited by embedding a malicious Flash file into a Microsoft Word document that serves as the carrier," Wolfgang Kandek, chief technical officer at Qualys, explained in an earlier analysis of the attack.

"Targets receive an email with the document attached, which can have a legitimate sounding name, such as 'Disentangling Industrial Policy and Competition Policy.doc', 'Fukushima.doc', 'Evaluation about Fukushima Nuclear Accident.doc', to trick the target into opening the document."

Once opened the malware exploits the Flash flaw, but then immediately opens a second Word document that displays the information. This second opening is so fast that most people will not notice.

Adobe has issued the patch earlier than expected, after seeing the attacks in use among customers. The company has been under pressure to step up its patching processes, as its applications have come under increasing attack.