Adobe confirms zero-day danger in Reader and Acrobat

Dec 07, 2011 by Nancy Owano report

(PhysOrg.com) -- Adobe on Tuesday issued a critical security advisory for Adobe Reader and Acrobat. A vulnerability was detected and confirmed in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. Adobe said the flaw could cause a crash and allow an attacker to take control of the affected system.

The is being “actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on ,” according to the Adobe statement. The goal by attackers is to infect computers with malware. Since it can lead to the execution of arbitrary code, Adobe is categorizing the vulnerability as critical.

Adobe says the flaw affects multiple operating systems and various versions of its software.
• Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
• Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and
• Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
• Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and

The Reader for Android and Adobe Flash player are not affected.

Lockheed Martin and members of the Defense Security Information Exchange discovered and reported the flaw to Adobe. Defense contractors are being targeted, suggest reports.

Adobe says it is working on the fix and plans to issue an update for Adobe Reader and Acrobat 9.x for Windows no later than the week of December 12. .Adobe will “address the issue” in .Adobe Reader X and Acrobat X for Windows with the next update for Adobe Reader and Acrobat, and earlier versions of the Mac, scheduled for January 10.

An update to address 9.x for UNIX is also planned for January 10.

Tracking the latest information on the Adobe incident can be done by accessing the blog at blogs.adobe.com/psirt.

Meanwhile, security vendors Sophos reported on Tuesday that more mischief is being added in the form of fake fixes that are pretending to be sent from Adobe. Sophos is warning the public to beware of the phony upgrade notifications. The emails carry a ZIP attachment which has a version of the Zeus Trojan designed to steal banking information. Samples seen so far by Sophos all carry malware in the file "Adobe Systems Software Critical Update Dec 2011.exe" contained within the ZIP.

Explore further: Android gains in US, basic phones almost extinct

More information: nakedsecurity.sophos.com/2011/12/06/beware-adobe-software-upgrade-notification-malware-attached/

Related Stories

Adobe cutting 680 jobs

Nov 10, 2009

Adobe Systems, known for its Photoshop editing program and Acrobat document software, announced on Tuesday it was cutting some 680 jobs worldwide, about nine percent of its workforce.

Adobe plugs Flash webcam spy hole

Oct 22, 2011

(PhysOrg.com) -- Adobe engineers on Thursday fixed a vulnerability in its Flash software that could enable attackers to use a person’s computer webcam or microphone feeds for spying on the person. Adobe made changes ...

Adobe pulls plug on Flash for mobile

Nov 09, 2011

US software maker Adobe pulled the plug Wednesday on its Flash player for mobile browsers, which Apple's late chief executive Steve Jobs refused to allow on the iPhone and iPad.

Adobe CS3: What You Get

Apr 27, 2007

Which bundle is right for you? We break down some of their key new tools, suite by suite.

Recommended for you

Growing app industry has developers racing to keep up

9 hours ago

Smartphone application developers say they are challenged by the glut of apps as well as the need to update their software to keep up with evolving phone technology, making creative pricing strategies essential to finding ...

Android gains in US, basic phones almost extinct

Apr 18, 2014

The Google Android platform grabbed the majority of mobile phones in the US market in early 2014, as consumers all but abandoned non-smartphone handsets, a survey showed Friday.

Hackathon team's GoogolPlex gives Siri extra powers

Apr 17, 2014

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Microsoft CEO is driving data-culture mindset

Apr 16, 2014

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 0

More news stories

Poll: Big Bang a big question for most Americans

Few Americans question that smoking causes cancer. But they have more skepticism than confidence in global warming, the age of the Earth and evolution and have the most trouble believing a Big Bang created the universe 13.8 ...

Making graphene in your kitchen

Graphene has been touted as a wonder material—the world's thinnest substance, but super-strong. Now scientists say it is so easy to make you could produce some in your kitchen.