Critical Adobe Reader vuln under 'targeted' attack
No patch till Tuesday
Attackers once again are targeting an unpatched vulnerability in Adobe Reader that allows them to take complete control of a user's computer, the software maker warned.
Adobe said it planned to patch the critical security bug in Reader and Acrobat 9.1.3 for Windows, Mac and Unix on Tuesday, the date of the company's previously scheduled patch release for the PDF reader. According to Security Focus here, attackers can exploit the vulnerability by tricking a user into opening a booby-trapped PDF file.
"Successful exploits may allow the attacker to execute arbitrary code in the context of a user running the affected application," the security site warned. "Failed attempts will likely result in denial-of-service conditions."
The bug is presently being exploited in "limited targeted attacks," Security Focus added, without elaborating. Adobe said only that the attacks target Reader and Adobe running on Windows operating systems.
The company said it's working with anti-virus providers so their software can detect the PDF files that target the bug.
This is at least the third time this year that criminals have targeted an unpatched vulnerability in Adobe Reader or Flash, which arguably are installed on a larger base of machines than any Microsoft software. The company has taken flak not just for releasing buggy programs, but for taking too long to fix security flaws once they're discovered. The company in May promised to reinvigorate its security program for Reader. ®