Adobe promises patch for critical Acrobat and Reader flaw on Friday

Adobe has promised to issue a patch on Friday for a critical flaw in its Reader and Acrobat products currently being exploited in the wild, which could allow hackers to remotely take control of systems.

Adobe said in a security advisory posted last week that the "U3D memory corruption vulnerability" affects Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh.

Since then, reports have circulated that the flaw is being used by hackers to craft spam emails with malicious PDF attachments.

"We have started seeing a small number of targeted samples in Sophos Labs of attackers trying to use this vulnerability in email attachments. The emails are well crafted and look very believable," said Sophos Canada senior security advisor Chester Wisniewski in a blog post last week.

Adobe said at the time that the patch will be ready at some point in the week beginning 12 December, so it is still on track to deliver.

"We are in the process of finalising a fix for the issue and expect to make available an update for Adobe Reader 9.x and Acrobat 9.x for Windows on 16 December 2011," the firm said in an updated advisory.

"Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for 10 January 2012."

Adobe added that Mac versions of Reader and Acrobat and Adobe Reader 9.x for Unix will also be addressed in the next scheduled update.

Security admins have had a busy week already in the run up to Christmas, after Microsoft issued 13 bulletins on Tuesday covering 20 flaws, three of them critical.