Adobe Warns of Flaw in Reader, Acrobat

Adobe has issued a Security Advisory for Adobe Reader and Acrobat [APSA 11-04] warning of a critical security vulnerability in those products.  This memory corruption  vulnerability [CVE-2011-2462] could be exploited to cause a crash, and potentially allow an attacker to take control of an affected system.   Adobe says that the following software versions are vulnerable:

  • Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and UNIX
  • Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh

Neither Adobe Reader for Android nor Adobe Flash Player is affected by this vulnerability.

Some attacks based on this vulnerability have, apparently, already been seen “in the wild”, in the form of malicious PDF documents:

There are reports that the vulnerability is being actively exploited in the wild in limited, targeted attacks against Adobe Reader 9.x on Windows.

Adobe says that the protected mode feature in Reader X and Acrobat X should prevent these exploits from working.

Adobe reports that it is working on patches for this vulnerability.  and expects to have fixes for 9.x versions on Windows (which has been the attack target to date) no later than the week of December 12, 2011.  Patches for other versions and platforms are scheduled to be released in the next regular quarterly cycle on January 10, 2012.

Adobe’s Product Security Incident Response Team’s [PSIRT] blog has a post on this advisory; updated information will be posted there as necessary.

Update Thursday, 15 December, 12:05 EST

According to a post at the Adobe PSIRT blog, the patch for the 9.x versions of Reader and Acrobat is scheduled for release tomorrow, Friday, December 16.

 

2 Responses to Adobe Warns of Flaw in Reader, Acrobat

  1. […] its Reader and Acrobat on Windows, versions 9.x.  This bulletin addresses the recently discovered memory corruption vulnerability [CVE-2011-2462], as well as another flaw [CVE-2011-4369].   It appears that these vulnerabilities […]

  2. […] the Adobe Flash Player update noted in Security Bulletin [APSB11-28], and patches for the earlier vulnerabilities (CVE-2011-2462 and CVE-2011-4369) identified in  Security Bulletin [APSB11-30].  Patches for the […]

%d bloggers like this: