Yesterday Adobe released a security bulletin that discusses a new attack which is targeting a flaw in its Acrobat and Reader programs.
The flaw affects both version 9.4.6 and 10.1.1 of its Reader and Acrobat programs, on all supported platforms, which include both Windows and Macintosh PCs.
Described only as a "U3D memory corruption" vulnerability, if the attacker takes advantage of it by releasing a compromised PDF document that when opened causes the target system to crash, it allows the attacker to take control of the system. Adobe does not go into any additional details on the nature of the attack such as whether the Reader browser plug-in is affected, but does mention it affects the following versions of Adobe products:
- Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
- Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and UNIX
- Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
- Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh
Unlike most security advisories this vulnerability is not just on paper as a potential threat, but is being actively exploited by hackers who are so far targeting Windows PCs running Adobe Reader version 9.4.6, and as a result attacks on other versions and platforms could easily happen in the near future.
Despite the potential for the attacks spreading, because of the critical nature of this problem for Windows users, Adobe is going to be releasing an "out of cycle" update for Adobe 9.4.6 for Windows in the week of December 12, 2011; however, other versions and platforms will have to wait until January 10, 2012 to receive an update. Adobe claims it is working to fix the vulnerability in its software, but needs to prioritize based on the current threat and what it can do with limited staffing around the holiday season.
Even though an update for version 10.1.1 of Adobe Reader X and Acrobat X will not be released for at least another month, on these versions the exploit can be thwarted by turning on enhanced security options in the program's preferences.
To enable protected view in Adobe's Reader X and Acrobat X products, go to the Edit menu and select Preferences. Then select "Security (Enhanced)" and check the option to "Enable Enhanced Security," ensure that either the "All Files" or "Files from potentially usafe locations" are checked if they are available.
On Windows PCs you can also go to the "General" section of the preferences and ensure that "Enable Protected Mode at Startup" is selected, but this option is not available for Reader on OS X.
So far the only reports that Adobe has of this problem are attacks against Adobe Reader 9.x on Windows PCs, but the same exploit could be used against Macintosh and Unix PCs running either version 10.1.1 or version 9.4.6 of either Acrobat or Reader. Because of this and because Acrobat X and Reader X have this additional security, in a blog posting by the Adobe engineering team the company urges users to upgrade to these versions of its products and enable the enhanced security options.
For Mac users, while Adobe Reader has its uses, do keep in mind that Apple has its own PDF implementation in OS X that can be used to both create and view PDF documents. Apple's default PDF viewer is its Preview program.