Adobe Admits Zero-Day Flaw In Acrobat, Reader

Adobe has warned its users that a zero day vulnerability in Adobe Reader and Acrobat is currently being exploited in the wild.

The new critical vulnerability in Adobe Reader and Adobe Acrobat could cause a crash and potentially allow an attacker to remotely take control of the compromised system, Adobe said in a security advisory 6 December.

The vulnerability exists in Adobe Reader X and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier versions for Unix, and Adobe Acrobat X and earlier versions for Windows and Macintosh, Adobe said. Adobe Reader for Android and Adobe Flash Player are not affected by this issue.

Working On Fix

The critical vulnerability is already being exploited in the wild in the form of targeted attacks against Windows users running Adobe Reader 9.x. Adobe has not received any reports of malicious PDFs being used to exploit other versions of Adobe Reader or Acrobat. The company declined to provide additional details of the current exploit.

Adobe is currently finalising a fix for the issue and an out-of-band patch for Adobe Reader and Acrobat 9.x for Windows is expected “no later” than the week of 12 December, Adobe said.

The protective sandbox technology in Reader X and Acrobat X would prevent the exploit from executing successfully, so those programs would be updated as part of the company’s regularly scheduled quarterly security update, currently set for 10 January. Since the risk to Macintosh and Unix users was “significantly lower,” these versions of affected software will also be patched during the quarterly update.

“The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted,” Brad Arkin, senior director of product security and privacy at Adobe, wrote on the Adobe Secure Software Engineering Team blog.

Holiday Update

The vulnerability was discovered and reported by Lockheed Martin Computer Incident Response Team and the Defence Security Information Exchange. The U3D memory corruption flaw could cause the compromised computer to crash and allow a remote attacker to seize control, according to the advisory.

The Adobe team is focusing the out-of-band patch to just Adobe Reader and Acrobat 9.x for Windows in order to ship it as soon as possible. This way, administrators would have the time to deploy the update before users and staff take time off for the upcoming holidays, Arkin said.

The advisory comes at an unfortunate time, as there is currently a spam campaign underway posing as upgrades for Acrobat and Reader, according to Graham Cluley, senior technology consultant at Sophos. The spam messages pretend to come from Adobe and have a ZIP file containing a version of the Zeus Trojan attached.

“Less technical-savvy computer users might believe the email is legitimate, and be tricked into installing malware onto their computer thinking that it is an official Adobe update,” Cluley wrote on the Naked Security blog.

This is the first zero-day vulnerability found in Acrobat and Reader that is unrelated to a Flash Player flaw since September 2010, Adobe noted.