Critical Adobe Reader zero-day vulnerability exploited in the wild

Adobe is working on a patch for a newly discovered Adobe Reader vulnerability that is currently being exploited in the wild to infect computers with malware.

The flaw affects Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, as well as Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh.

[ The Web browser is your portal to the world — as well as the conduit that lets in many security threats. InfoWorld’s expert contributors show you how to secure your Web browsers in this “Web Browser Security Deep Dive” PDF guide. ]

The memory-corruption vulnerability is identified as CVE-2011-2462 and is located in the component that processes U3D graphics. Because it can lead to the execution of arbitrary code, the vulnerability is considered critical.

The Lockheed Martin Computer Incident Response Team (CIRT) and members of the Defense Security Information Exchange are credited with discovering and reporting the issue to Adobe, which suggests that hackers are leveraging it to target companies from the defense industry.

Adobe is treating a patch for Adobe Reader 9.x as a priority because that’s the branch currently exploited in the wild. “We are in the process of finalizing a fix for the issue and expect to make available an update for Adobe Reader and Acrobat 9.x for Windows no later than the week of December 12, 2011,” the company said in a new security advisory.

Adobe Reader and Acrobat X for Windows will receive patches during the next quarterly security update, which is scheduled for Jan. 10. The vulnerability is not an immediate threat for users of this particular branch because they benefit from a sandbox feature that makes arbitrary code execution very difficult to achieve.

Sandboxing is not available for the Unix and Mac versions, but according to Adobe, the risk to users of these platforms is significantly lower. That’s why the company will delay patching these versions until January as well.

“All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows. We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or Unix for this CVE (or any other CVE),” the Adobe Secure Software Engineering Team (ASSET), said in a blog post.