Adobe to release emergency patch for critical vulnerability in Reader and Acrobat
Adobe releases patches for critical vulnerabilities in Flash, Shockwave and Photoshop
Adobe has confirmed that it will release an out-of-band patch next week for a critical vulnerability in its Reader and Acrobat products.
The company posted an advisory for the new vulnerability that it confirmed is currently being exploited in the wild in limited, targeted attacks against Adobe Reader 9.4.6 on Windows.
According to Brad Arkin, senior director, product security and privacy at Adobe Systems, an out-of-cycle security update for Adobe Reader and Acrobat 9.x for Windows will be released "no later than the week of 12 December".
He also confirmed that as Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit targeting this vulnerability from executing, it is planning to address this issue in Adobe Reader and Acrobat X for Windows with the next quarterly security update on 10 January, 2012. He also said that the risk to Mac and UNIX users was significantly lower, so an update will be released on 10 January also.
He said: “The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted. All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows. We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE or any other CVE.
“Focusing this release on just Adobe Reader and Acrobat 9.x for Windows also allows us to ship the update much earlier. We are conscious of the upcoming holidays and are working to get this patch out as soon as possible to allow time to deploy the update before users and staff begin to take time off. Ultimately the decision comes down to what we can do to best mitigate threats to our customers.”
Arkin also confirmed that this is the first attack against Adobe Reader proper (as opposed to repurposed SWF exploits) since September 2010.