While it's not unusual for companies to promise a variety of things “in time for the holidays,” a patch for a zero-day bug being exploited in the wild is usually not one of them. But that’s something you can look forward to if you have Adobe Reader and/or Acrobat 9.x for Windows. In a security advisory issued on Tuesday, Adobe warned of a “critical” vulnerability in Adobe Reader and Acrobat that is being exploited in the wild. Hit the jump for more.
The said vulnerability was brought to Adobe’s notice by Lockheed Martin CIRT (Computer Incident Response Team) and the Defense Security Information Exchange, both of which keep an eye on threats aimed at defense contractors. According to the company, an attacker can use this U3D (Universal 3D) memory corruption vulnerability to take control of the affected machine. Universal 3D is a file format standard for three-dimensional data. Both Adobe Reader Acrobat support U3D objects.
“A critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh,” reads the security advisory.
“There are reports that the vulnerability is being actively exploited in the wild in limited, targeted attacks against Adobe Reader 9.x on Windows. Adobe Reader X Protected Mode and Acrobat X Protected View mitigations would prevent an exploit of this kind from executing.”
The company is working on an out-of-band patch for Adobe Reader and Acrobat 9.x for Windows and expects to have it ready during the week of December 12, 2011, with patches for other versions arriving a bit later on January 10, 2012.