Adobe to release zero-day fixes for Reader and Acrobat
Adobe is scheduled to release updates to Acrobat and Reader that address a zero-day flaw in the software that could allow an attacker to take control of a compromised system.
In early December, Adobe issued a security bulletin regarding new zero-day PDF-based attacks that took advantage of flaws in its Reader and Acrobat programs, allowing a hacker to crash the program and take control of the system.
The flaw was initiallyversions 9.4.6 and X (10.1.1) on all supported platforms, with a similar flaw later being , though in its security bulletin Adobe claims this is not the same issue as those in Reader and Acrobat.
Despite it being present in multiple platforms and software versions, Adobe claimed the flaw was only being actively exploited in the Windows versions of Acrobat and Reader. As a result, and because version 10.1.1 of the software contains enhanced security options that thwart the exploit, Adobe only issued immediate updates for version 9.4.2 of Reader and Acrobat for Windows.
The company claimed that it would address the flaw in other versions of its software by releasing updates on January 10, 2012, so if you use these software packages from Adobe, then be aware that an update will likely be made available today. When the updates are released they can be obtained on Adobe's product update downloads page, and also will be available via the Adobe Update Manager program if you have that installed.
Until these updates are finally released, if you are using Acrobat X or Reader X (version 10 or above), you can secure this flaw by enabling the program's enhanced security options by going to the program's preferences, selecting the "Security (enhanced)" section, and then checking the "Enable Enhanced Security" option. Even after applying patches that correct this latest problem, it may be a good idea to keep these enhanced security measures enabled.