Adobe has been forced to issue an emergency security bulletin to warn of a critical new zero-day vulnerability in its Reader and Acrobat tools which is being exploited in the wild and could allow hackers to remotely take control of systems.
Adobe said in a security advisory posted yesterday that the "U3D memory corruption vulnerability" affects Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh.
"This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system," the advisory read.
"There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows."
An out-of-cycle fix for Reader and Acrobat 9.x for Windows is currently being built for release no later than the week beginning 12 December.
Adobe said that it has received no reports to date of malicious PDFs being used to exploit Reader or Acrobat for Macintosh or Unix for this flaw, so it is concentrating on rushing out a fix for the version and platform currently being hit in the wild.
Reader and Acrobat X for Windows as well as all Mac and Unix versions of the products will be addressed with the next quarterly security update on 10 January.
Malicious PDFs and other attachments remain a popular way for cyber criminals to infect machines. Such attachments are often used by perpetrators of advanced persistent threats to covertly place malware on a target computer.
'Sunlit wet sidewalk' provides evidence of methane rainfall on the north pole of Saturn's moon Titan
Methane rainfall indicates the start of the summer season in Titan's northern hemisphere
Scientists believe there could be other hydrides or superhydrides with super conducting properties
Resetting the telemetry circuits and associated boards brought the instrument back to operations mode
Fortnite news and updates: Flaw in Fortnite authentication could have helped attackers steal player login credentials
Attackers could have used Fortnite security flaw to buy in-game currency on players' stored credit cards