Hackers Exploit Critical Adobe Reader, Acrobat Flaws

/ Source: SecurityNewsDaily

Online attackers are currently taking advantage of an unpatched security bug in Adobe's popular Reader software to launch targeted cyberattacks, possibly against high-profile defense contractors.

Adobe confirmed the flaw in a security advisory today (Dec. 6), explaining that the new vulnerability exists in Adobe Reader X (10.1.1) and earlier versions for Windows and Mac, and Adobe Reader 9.4.6 and earlier 9.x versions for UNIX.

"This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system." Adobe said, adding that the company has received reports of "limited, targeted attacks against Adobe Reader 9.x on Windows." Adobe also found a bug in its Acrobat X software.

Gregg Keizer from Computerworld suggested that the "targeted attacks" Adobe mentioned may have been aimed at defense contractors. Adobe identified the bug as a "U3D memory corruption vulnerability"; U3D, Keizer explained, stands for Universal 3D, a file format promoted by companies including Intel and Hewlett-Packard. He pointed to the fact that Adobe credited the security teams at Lockheed Martin, which has dealt with its share of security incidents this year, with reporting the critical vulnerability.

Adobe said it plans to release an emergency update to the Reader 9.x and Acrobat 9.x security flaws "no later than the week of Dec. 12." Because Adobe Reader X and Acrobat X contain built-in defenses that prevent attackers from exploiting them, Adobe is not rushing out patches for these programs, and will wait until the next regular update, scheduled for Jan. 10, 2012.