New Adobe Reader zero-day in the wild
Adobe is warning of a zero-day flaw in Adobe Reader that is being actively exploited in Adobe Reader 9.x on Windows as part of "limited, targeted attacks". The security advisory says that the critical flaw affects Adobe Reader X (10.1.1) and Adobe Acrobat X (10.1.1) and their earlier versions for Windows and Mac OS X. Adobe Reader 9.4.6 and earlier 9.x versions for Unix are also vulnerable. Adobe says the hole is caused by memory corruption in the processing of Universal 3D files (U3D) which could cause a crash "and potentially allow an attacker to take control of the affected system".
Adobe says that Adobe Reader X's Protected Mode and Acrobat X's Protected View stop any exploit code from executing; patched versions will be made available, along with updates for the Macintosh and Unix versions, in the next quarterly security update on 10 January 2012. More urgently though, the fixes for Reader and Acrobat 9.x for Windows are being finalised and Adobe plans to make them available on or by 12 December 2011 in an out-of-cycle update.
On the Adobe Secure Software Engineering Team Blog, Brad Arkin, senior director for Product Security and Privacy at Adobe, explains the scheduling and implores users of Reader and Acrobat 9.x to upgrade to Reader and Acrobat X saying "to date, there has not been a single piece of malware identified that is effective against a version X install".
Adobe says the flaw does not affect Adobe Reader for Android. It also notes that Adobe Flash Player is not affected; most recent Adobe Reader and Acrobat issues have been related to flaws in Flash Player which is also embedded in Reader and Acrobat. In this case, it is a flaw specifically within Reader and Acrobat.