Adobe to fix critical Acrobat and Reader flaw next week

Adobe has been forced to issue an emergency security bulletin to warn of a critical new zero-day vulnerability in its Reader and Acrobat tools which is being exploited in the wild and could allow hackers to remotely take control of systems.

Adobe said in a security advisory posted yesterday that the "U3D memory corruption vulnerability" affects Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh.

"This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system," the advisory read.

"There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows."

An out-of-cycle fix for Reader and Acrobat 9.x for Windows is currently being built for release no later than the week beginning 12 December.

Adobe said that it has received no reports to date of malicious PDFs being used to exploit Reader or Acrobat for Macintosh or Unix for this flaw, so it is concentrating on rushing out a fix for the version and platform currently being hit in the wild.

Reader and Acrobat X for Windows as well as all Mac and Unix versions of the products will be addressed with the next quarterly security update on 10 January.

Malicious PDFs and other attachments remain a popular way for cyber criminals to infect machines. Such attachments are often used by perpetrators of advanced persistent threats to covertly place malware on a target computer.