Adobe today sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild.
Details on the vulnerability are not yet public but the sudden warning from Adobe is a sure sign that rigged PDF documents are being used by malicious hackers to take complete control of machines with the latest versions of Adobe Reader/Acrobat installed.
Here’s Adobe’s warning:
A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system.There are reports that this vulnerability is being actively exploited in the wild.
Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability.
Ominously, Adobe said it cannot offer any pre-patch advice to help users thwart the attacks.
Unfortunately, there are no mitigations we can offer. However, Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.
An Adobe spokeswoman described the attacks as “limited” but warned that that could change with the availability of public exploit code. She said the company was notified of the attacks yesterday (Tuesday September 7, 2010) via information from a private partner company.
Related articles by Zemanta
- New Adobe PDF Zero-Day Under Attack (it.slashdot.org)
- New Adobe PDF zero-day under attack (zdnet.com)
- Adobe warns of zero-day Acrobat flaw (v3.co.uk)
