X

Adobe warns of attacks using Reader on Windows

Adobe to issue fix by next week for critical hole in Reader and Acrobat that could allow an attacker to take control of the system.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Hackers are exploiting a previously unknown flaw in Reader to attack computers running Windows, Adobe said today.

A patch for the critical vulnerability in Reader and Acrobat is expected by next week, the company said in a blog post.

The vulnerability, which is being exploited in "limited, targeted attacks in the wild against Adobe Reader 9.x on Windows," could allow an attacker to take control of the system, Adobe said.

Adobe is finalizing a fix and expects to release an update for Reader and Acrobat 9.x for Windows no later than the week of December 12, according to an Adobe advisory.

"Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012," the company said. "We are planning to address this issue in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update scheduled for January 10, 2012. An update to address this issue in Adobe Reader 9.x for UNIX is planned for January 10, 2012."

The issue does not affect Adobe Reader for Android and Adobe Flash Player.

Adobe's advisory credited Lockheed Martin and members of the Defense Security Information Exchange with reporting the issue. Lockheed spokeswoman Jennifer Whitlow told Reuters that the problem was identified through the company's normal monitoring activities but that the company had not been penetrated in the attempted attack. The defense contractor was targeted in an attack earlier this year believed to be related to a breach at SecurID token maker RSA.

Updated November 7 at 5:29 p.m. PT with Lockheed reporting the issue to Adobe.