Adobe confirms Reader flaw, advises on workarounds

Share this article:

Adobe has confirmed a zero-day vulnerability in its Reader and Acrobat software and plans to release a patch on Jan. 12 for the dangerous bug.

According to an an advisory issued late Tuesday, the vulnerability impacts version 9.2 and earlier for Windows, Mac and UNIX platforms. A successful exploit can allow an attacker to crash or take control of a targeted system.

As users await an updated version of the popular PDF management products, the company recommended IT administrators utilize the JavaScript Blacklist Framework, which offers granular control over the execution of specific JavaScript API calls. Individual users, meanwhile, simply can opt to disable JavaScript in Reader and Acrobat by unchecking the "Enable Acrobat JavaScript"option.

In addition, customers can leverage Data Execution Prevention (DEP), a Vista and Windows 7 security feature that prevents an application from executing code in certain memory regions. The functionality also is available on Windows XP Service Pack 3.

Exploits currently are being delivered as a malicious PDF attached to emails, security experts said. So far, the attacks have been fairly targeted, but that is expected to change, especially now that the exploit has been added to the Metasploit framework.

David Lenoe, a security program manager at Adobe, said Tuesday in a blog post that users may be helped by their anti-virus vendors.

"Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available," he said.

Exploits for the vulnerability began surfacing late last week, but as of Tuesday, a majority of security solutions were failing to detect the malicious PDFs being used in the ambushes, according to the Shadowserver Foundation, an internet security watchdog.

Share this article:

Sign up to our newsletters

More in News

Cyber Command tests gov't collaboration in wake of attacks

The two-week exercise, "Cyber Guard 14-1," was completed this month.

Text message spammer settles charges filed by FTC

Text message spammer settles charges filed by FTC

Rishab Verma and his company agreed to settle charges filed by the FTC that Verma sent millions of spam text messages that deceitfully promised free merchandise.

Rhode Island hospital to pay $150K for past data breach

More than 12,000 patients' personal and health information was compromised in a breach at The Women & Infants Hospital of Rhode Island.