Adobe patches Reader and Acrobat vulnerabilities
Out-of-band patch to address vulnerabilities attackers used to target defence companies
By Lucian Constantin | Published: 10:31, 19 December 2011
Adobe Systems has released Adobe Reader and Acrobat 9.4.7 in order to patch two vulnerabilities that are being actively exploited in attacks against companies from the defence industry.
One of the security flaws, identified as CVE-2011-2462, was announced on December 6 after Lockheed Martin's Computer Incident Response Team (CIRT) and members of the Defense Security Information Exchange reported it to Adobe.
Symantec confirmed a few days later that the vulnerability had been exploited since the beginning of November in email-based attacks that targeted companies from the telecommunications, manufacturing, computer hardware, chemical and defense industries.
Related Articles on Techworld
Since the original advisory was published last week, Adobe has learned of a second vulnerability that was also being exploited in the wild. The company assigned an identifier of CVE-2011-4369 to the new flaw, but it's not clear if it's related to the same attacks as the first one.
"The Adobe Reader and Acrobat team was able to provide a fix for this new issue as part of today's update. Note also that at this time, we are only aware of one instance of CVE-2011-4369 being used," said Wiebke Lips, Adobe's senior manager of corporate communications.
Even though the vulnerabilities also affect the Adobe Reader and Acrobat X (10.x) branch, Adobe decided to postpone updates for these versions until the next scheduled update cycle on January 10.
"Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of the type currently targeting these vulnerabilities (CVE-2011-2462 and CVE-2011-4369) from executing, we are planning to address these issues in Adobe Reader and Acrobat X for Windows with the next quarterly security update," the company said in a security bulletin.
Updates for Adobe Reader 9.x for Unix will also be released on January 10, because the attacks are not considered an immediate threat to Unix users. Users of the Windows 9.x versions are strongly encouraged to upgrade to Adobe Reader and Acrobat 9.4.7 in order to protect their computers.
