Adobe has issued a Security Advisory for Adobe Reader and Acrobat [APSA 11-04] warning of a critical security vulnerability in those products. This memory corruption vulnerability [CVE-2011-2462] could be exploited to cause a crash, and potentially allow an attacker to take control of an affected system. Adobe says that the following software versions are vulnerable:
- Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
- Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and UNIX
- Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
- Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh
Neither Adobe Reader for Android nor Adobe Flash Player is affected by this vulnerability.
Some attacks based on this vulnerability have, apparently, already been seen “in the wild”, in the form of malicious PDF documents:
There are reports that the vulnerability is being actively exploited in the wild in limited, targeted attacks against Adobe Reader 9.x on Windows.
Adobe says that the protected mode feature in Reader X and Acrobat X should prevent these exploits from working.
Adobe reports that it is working on patches for this vulnerability. and expects to have fixes for 9.x versions on Windows (which has been the attack target to date) no later than the week of December 12, 2011. Patches for other versions and platforms are scheduled to be released in the next regular quarterly cycle on January 10, 2012.
Adobe’s Product Security Incident Response Team’s [PSIRT] blog has a post on this advisory; updated information will be posted there as necessary.
Update Thursday, 15 December, 12:05 EST
According to a post at the Adobe PSIRT blog, the patch for the 9.x versions of Reader and Acrobat is scheduled for release tomorrow, Friday, December 16.