Hackers exploit Adobe Reader zero-day, may be targeting defense contractors
Adobe credits Lockheed Martin, victim of earlier attack, and defense industry cyber-threat group with reporting unpatched bug
Computerworld - Adobe today confirmed that an unpatched, or zero-day, vulnerability in Adobe Reader is being exploited by criminals.
Those attacks may have been aimed at defense contractors.
Adobe promised to patch the bug in the Windows edition of Reader and Acrobat 9 no later than the end of next week. Tuesday, Dec. 12 is also Microsoft's regularly-scheduled Patch Tuesday for the month.
The upcoming patch will be Adobe's sixth for Reader and Acrobat this year.
"A critical vulnerability has been [found] in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh," Adobe said in an early-warning email. "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system."
The company issued a security advisory with what information it was willing to share.
Adobe acknowledged that the vulnerability is being exploited in what it called "limited, targeted attacks" against Reader 9.x on Windows, but did not provide any additional information about where and when the attacks were occurring, or who had been targeted.
Adobe identified the bug as a "U3D memory corruption vulnerability," U3D, which stands for "universal 3D," is a compressed file format standard for 3-D graphics data promoted by a group of companies, including Adobe, Intel, and Hewlett-Packard.
Reader vulnerabilities are typically exploited by attackers using malicious PDF documents that are attached to email messages with baited subjected heads that try to dupe recipients into opening the document.
Doing that also executes the malicious code -- in this case, likely malformed U3D data -- hidden in the PDF, compromising the victim's PC and letting the attacker infect the machine with other malware.
The attacks exploiting the unfixed flaw may have targeted U.S. defense contractors: Adobe originally credited the security response teams at both Lockheed Martin and MITRE with reporting the vulnerability.
Lockheed Martin is one of the U.S's largest aerospace and defense contractors, and manufactures the F-22 Raptor fighter jet and won the contract to build the F-35 Lightning II, the planned successor to the F-16 Falcon aircraft.
MITRE manages several research centers funded by U.S. government agencies, including the National Security Engineering Center for the Department of Defense, and the Center for Advanced Aviation System Development for the Federal Aviation Administration (FAA).
Lockheed Martin was in the computer security news last May when it admitted it had been the target of a "significant and tenacious [cyber]attack," which was allegedly conducted by leveraging information stolen several months earlier from RSA Security.
It's not unusual for companies targeted by hackers to be among the first to report a previously-unknown vulnerability, as they are, of course, in the best position to do so.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts