Adobe not planning to close critical vulnerability in Reader until January

Adobe has confirmed the existence of a recently reported vulnerability in Adobe Reader and Adobe Acrobat. The vulnerability is already being actively exploited, but the company does not plan to release an update until 12th January 2010, as part of its regular three-monthly patch cycle. According to the vendor, Adobe Reader 9.2 and earlier for Windows, Macintosh and Unix and Acrobat 9.2 and earlier for Windows and Macintosh are affected. The cause of the problem appears to be a bug in Adobe's DocMedia.newPlayer JavaScript function.

The vulnerability can be exploited to inject and execute code on vulnerable systems and can be triggered simply by opening a crafted PDF file. Virus authors have so far limited themselves to distributing such files via targeted emails only, samples of which have been published by F-Secure on their blog.

Since the exploit for the vulnerability is now available as a plug-in for the Metasploit exploit framework, the scope of attacks may be set to widen from the isolated targeted attacks seen so far. To avoid falling victim to an attack, Adobe is advising Windows users to activate data execution prevention (DEP) or to deactivate JavaScript in Reader or Acrobat (Edit -> Preferences -> JavaScript). As an alternative workaround, Adobe has provided an installable Windows registry file that generates a key which blacklists the vulnerable JavaScript function, preventing it from being called. The forthcoming security update will reset this value on installation.

For Mac OS X and Linux users, Adobe has provided instructions for blacklisting the vulnerable function.

See also:

• Security Advisory for Adobe Reader and Acrobat, report from Adobe.
• Attacks on unpatched vulnerability in Adobe Reader and Acrobat, a report from The H.
  

(djwm)