Policy —

Adobe scrambles to patch Acrobat zero-day hack

An exploit discovered by Lockheed Martin's computer security team crashes …

Adobe has reported a new "critical vulnerability" for current and older versions of Adobe Reader and Acrobat for Windows, Mac OS X, and Unix operating systems. The attack has already been exploited by hackers in targeted attacks against the Adobe 9 reader on Windows, the company stated in its security advisory The hack appears to have already been used in an attack on US defense contractors and research facilities.

Discovered by Lockheed Martin's Computer Incident Response Team and MITRE, the vulnerability could allow an attacker to send a malicious Adobe document file that crashes Reader, and "potentiallty allow an attacker to take control of the affected system," according to the Adobe Product Security Incident Response Team's alert. In a blog post, Adobe's director of product security Brad Arkin said that Adobe is planning to release a fix for the Windows versions of Adobe Reader and Acrobat 9.4.6 "no later than the week of December 12." There is currently no workaround for Reader 9.x.

Arkin said that the risk to Mac OS X and Unix users of Reader is "significantly lower," and that the attack can be blocked on Windows with Reader X by opening documents in Adobe Reader X in "protected mode." Patches for those versions of Reader will be held until the next quarterly update of Reader, scheduled for January 10.

Arkin encouraged anyone still using Reader 9. "We put a tremendous amount of work into securing Adobe Reader and Acrobat X, and to date there has not been a single piece of malware identified that is effective against a version X install," he claimed. However, that would appear not to apply to Reader and Acrobat X users who open documents without using protected mode.

Channel Ars Technica