Categories: SecurityWorkspace

Adobe Plans Emergency Fix For Reader

Adobe has confirmed a patch covering two critical flaws in Reader and Acrobat will land this week, following reports one of the vulnerabilities was being exploited in the wild.

Adobe noted late last week it was working on a patch and has been quick to react to findings of security researchers, confirming over the weekend fixes would land sometime this week.

Adobe Reader attacks

FireEye reported last week that a PDF zero-day was being exploited. It found that when one of the Reader flaws was successfully exploited, it initiated two Dynamic Link Library (DLL) files, the first of which opened a fake error message and a decoy PDF document, whilst the second dropped a callback component that spoke with a remote domain used by the attackers.

“Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message,” the Reader maker said in its advisory.

“Adobe is in the process of working on fixes for these issues and plans to make available updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux during the week of 18 February 2013.”

As noted by various security researchers, the exploits, if genuine, mark a worrying moment for Adobe, as it is the first known bypass of the sandbox protection built into the latest Adobe Reader.

“Adobe Reader, and the PDF standard, are extremely flexible (and therefore complex) pieces of technology – this won’t be the last flaw found,” warned Ross Barrett, senior manager of security engineering at Rapid7.

The Adobe security team has had a busy month, having rushed out patches for zero-day flaws in Flash Player, which were being exploited by hackers. Mac and Windows users were targeted.

Are you a security pro? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago