We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Critical Adobe Reader zero-day vulnerability exploited in the wild

Adobe is rushing to patch the memory-corruption vulnerability

Adobe is working on a patch for a newly discovered Adobe Reader vulnerability that is currently being exploited in the wild to infect computers with malware.

The flaw affects Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, as well as Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh.

The memory-corruption vulnerability is identified as CVE-2011-2462 and is located in the component that processes U3D graphics. Because it can lead to the execution of arbitrary code, the vulnerability is considered critical.

The Lockheed Martin Computer Incident Response Team (CIRT) and members of the Defense Security Information Exchange are credited with discovering and reporting the issue to Adobe, which suggests that hackers are leveraging it to target companies from the defense industry.

Adobe is treating a patch for Adobe Reader 9.x as a priority because that's the branch currently exploited in the wild. "We are in the process of finalizing a fix for the issue and expect to make available an update for Adobe Reader and Acrobat 9.x for Windows no later than the week of December 12, 2011," the company said in a new security advisory.

Adobe Reader and Acrobat X for Windows will receive patches during the next quarterly security update, which is scheduled for Jan. 10. The vulnerability is not an immediate threat for users of this particular branch because they benefit from a sandbox feature that makes arbitrary code execution very difficult to achieve.

Sandboxing is not available for the Unix and Mac versions, but according to Adobe, the risk to users of these platforms is significantly lower. That's why the company will delay patching these versions until January as well.

"All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows. We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE)," the Adobe Secure Software Engineering Team (ASSET), said in a blog post.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model