Adobe issued a security advisory Thursday about vulnerabilities in its Adobe Reader and Acrobat products. The company labeled the vulnerabilities critical, reflecting the highest level of severity, and indicated that software updates will be available on Tuesday, Oct. 13.
A number of Adobe products and all platforms are involved. The update will cover Adobe Reader 9.1.3, Acrobat 9.1.3, Adobe Reader 8.1.6, and Acrobat 8.1.6 for Windows, Macintosh and UNIX. The updates also will cover Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh.
If unpatched, malicious code carried in downloaded PDF documents can be executed and damage can be caused by viruses, Trojans or other malware if the file is opened by the user. Attacks have been seen in the wild targeting Windows using Adobe Reader and Acrobat 9.1.3. The advisory said that computers with Data Execution Prevention (DEP) enabled on the Windows Vista operating system are not impacted.
So Far, Limited Impact
Brad Arkin, director of product security and privacy for Adobe, said the company has information on "about a half-dozen" attacks. He said next Tuesday's security update is the second of two on the company's schedule. The first was released June 9. A response to the attacks has been folded into the second update, he said.
Ryan Naraine, a security evangelist for Kaspersky Labs, said the attacks seem to be aimed at corporate and business types. "This is a big deal for two reasons. One is that it is not patched yet, and two is that there already are attacks happening. That means that malicious hackers got hold of this vulnerability before Adobe did."
Researchers agree that Adobe is a big target. Ben Greenbaum, senior research manager for Symantec Security Response, said Adobe is now squarely in the limelight, at least as far as crackers are concerned.
"I wouldn't say it is becoming a larger target, but it certainly has been a large target for a while. By that, I mean the past two or three years."
Naraine added that Adobe has had a busy year. "This is the fourth [attack] this year," he said. "That's not every week or every other week, but four times per year is considered a lot."
Greenbaum said there is no special protection against contaminated PDF documents. Best-practice security should be exercised, he said, including common sense, making sure that security software is up to date, and automatic updates are turned on. He joined the others in urging users to take advantage of the patch as soon as it becomes available on Tuesday.