Adobe confirmed yesterday that its Adobe Reader software contains a zero-day vulnerability, crediting the security team at Lockheed Martin, which itself was a victim of an attack through the exploit, and members of the Defense Security Information Exchange for discovering and reporting the bug.
It appears defence contractors are being specifically targeted in this case. Adobe confirmed that the flaw is "being actively exploited in limited, targeted attacks," although no further details were provided.
The company issued a critical security advisory and confirmed the flaw affects multiple operating systems and various versions of its software, though using the latest release in Protected Mode or Protective View reportedly prevents the vulnerability from being exploited.
"This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in its security advisory. The affected software and operating systems are:
• Reader X 10.1.1 and earlier 10.x versions for Windows and Apple OS X
• Reader 9.4.6 and earlier 9.x versions for Windows, Apple OS X and Unix
• Acrobat X 10.1.1 and earlier 10.x versions for Windows and Apple OS X
• Acrobat 9.4.6 and earlier 9.x versions for Windows and Apple OS X
Adobe was also keen to point out its Reader for Android and Adobe Flash player are not affected. The firm plans to update Windows versions of its 9.x software by no later than the week ending December 12. All other affected versions will receive a patch by January 10, 2012.
Those using Adobe's Reader X and Acrobat X versions are advised to either avoid opening unknown files or use protected mode or protected to access them if necessary until the patch is available in the New Year.
The company was recently in the news at the beginning of November after revealing its shock decision to terminate further development of Flash for mobile browsers. Instead, it will focus solely on HTML5 and other web technologies.