Adobe patches Reader bug early as PDF attacks begin
Fixes Flash flaw in Reader, Acrobat; beware of malicious PDFs touting news
Computerworld - Adobe on Thursday patched a critical bug in Adobe Reader, its popular PDF viewer, beating its self-imposed deadline by several days.
Hackers have already begun exploiting the bug in malicious PDF files, Adobe confirmed.
Adobe owned up to a Flash Player flaw last week after an independent researcher found exploits in embedded Flash files within Microsoft Word and Excel files attached to emails.
It was the second time in four weeks that Adobe had to acknowledge a Flash "zero-day," or unpatched vulnerability that hackers were exploiting.
The Flash bug also existed in Adobe Reader and Acrobat, both of which include code that renders Flash content inserted into PDF files.
Adobe shipped a patched version of Flash Player on April 15. At that time, Adobe said it would fix Reader and Acrobat sometime during the week of April 25.
Since last week, attacks have appeared that exploit the bug in Reader and Acrobat, Adobe said today.
"There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat," Adobe said in today's security advisory.
Mila Parkour, the security researcher who reported the flaw to Adobe, has tracked malicious PDF documents exploiting the vulnerability. The PDFs carry filenames that tout information about China, Russia, the Obama administration and the Middle East, Parkour said today on her Contagio Malware Dump blog.
The rogue PDFs are attached to messages purportedly from editors at the New York Times, although in reality they originated from servers in Utah and China.
Today's Reader and Acrobat updates also patch a second critical vulnerability that Adobe said has not yet been exploited in the wild.
Adobe Reader X, the version that launched late last year -- and which includes anti-exploit "sandbox" technology that isolates Reader from the rest of the computer -- blocks attack code execution, said Adobe. The company will patch the vulnerability in Reader X in mid-June as part of its already-scheduled security updates.
The patched versions of Reader and Acrobat can be downloaded from Adobe's support site. Alternately, users can run the programs' integrated update tool or wait for the software to prompt them that a new version is available.
Adobe Reader on Android is not affected by the flaws, and does not need to be patched, Adobe claimed. An Android fix for the Flash vulnerability will ship next week.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts