Adobe has released an emergency patch to address critical vulnerabilities in its Acrobat and Reader products.
As detailed by SC Magazine last week, a new vulnerability has been identified that targets Adobe Reader 9.4.6 on Windows. The patch, released on Friday, addresses vulnerabilities in Adobe Reader and Acrobat 9.x for Windows, and it recommended users of Adobe Reader 9.4.6 and earlier 9.x versions for Windows to update to Adobe Reader 9.4.7, and recommended users of Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows update to Adobe Acrobat 9.4.7.
Adobe said there is no immediate risk to users of Adobe Reader and Acrobat X for Windows with Protected Mode or Protected View enabled, or for Adobe Reader and Acrobat X or earlier versions for Macintosh, and Adobe Reader 9.x for UNIX based on the current exploits and historical attack patterns.
However, Adobe is planning to address these issues in Adobe Reader X and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for 10 January 2012. An update to address these issues in Adobe Reader 9.x for UNIX is planned for the same date.
Wolfgang Kandek, CTO of Qualys, said: “The flaw is actively being used in targeted attacks and can be used to take full control of the targeted machine. If you are interested in the technical details, one of the samples has been analysed in detail by Brandon Dixon and Mila Parkour. We recommend applying this patch as quickly as possible.
“Adobe Reader X contains the same flaw, but the current attack is neutralised due its additional sandbox. While this does not mean that Adobe Reader X users are completely safe, it is a remarkable illustration of the effectiveness of the additional security features that newer products have been enhanced with.”
Paul Henry, security and forensic analyst at Lumension, said: “Adobe is only releasing a patch for the Windows versions of the issue because that is the primary platform under attack. A fix for Unix and Mac users will not be available from Adobe until 12 January 2012. In all, Adobe released 121 bulletins this year, also down from last year.”