Adobe releases emergency patches for Reader and Acrobat
The security updates address two critical vulnerabilities already being exploited by attackers
IDG News Service - Adobe released emergency patches for Adobe Reader and Acrobat 11, 10 and 9 on Wednesday that address two critical vulnerabilities being actively exploited by attackers.
The exploit was discovered by researchers from security firm FireEye in active attacks last Tuesday and was confirmed by Adobe one day later. It's particularly dangerous because it bypasses the sandbox anti-exploitation mechanism in Adobe Reader 10 and 11.
"Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux," the company said Wednesday in a security advisory. "These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system."
Users should update their Adobe Reader and Acrobat installations to the new versions released Wednesday as soon as possible. These are Adobe Reader and Acrobat 11.0.02, 10.1.6 and 9.5.4.
"Users on Windows and Macintosh can utilize the product's update mechanism," Adobe said. "The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates."
Before releasing the updates, Adobe recommended that users of Adobe Reader 11 turn on the Protected View feature as a temporary mitigation to the existing exploit by choosing the "Files from potentially unsafe locations" option under the Edit > Preferences > Security (Enhanced) menu. This is a protection mechanism only in Adobe Reader 11, but it isn't turned on by default.
Adobe Reader Protected View only allows a single function and that is to view a PDF document, said Heather Edell, Adobe's senior manager of corporate communications, Wednesday via email. "Turning Adobe Reader Protected View on by default would break existing workflows customers rely on and result in unexpected impact on a very significant number of users."
"That being said, we have been working closely with customers and partners since the release of Adobe Reader Protected View on finding ways to make these additional protections a default at some point in the future without the negative impact on such a large number of users," she said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts