Adobe has confirmed this its Reader and Acrobat software are susceptible to two vulnerabilities that are being used in targeted attacks.
Users' computers can become infected if they click on a malicious PDF file that is sent as part of an email. The company said in a Wednesday evening advisory that the bugs (CVE-2013-0640 and CVE-2013-0641) impact Reader and Acrobat for Windows and Mac 11.0.01 and earlier, 10.1.5 and earlier versions and 9.5.3 and earlier.
The exploits, first discovered by security firm FireEye, are able to bypass sandbox technology that Adobe unveiled with Adobe Reader X. The capability, dubbed “Protected Mode,” forces operations that display PDF files to the user to be run inside a confined environment, known as a sandbox, in which certain functions are prohibited.
While that feature isn't good enough to stop these advanced exploits, an additional capability known as "Protected View," which was added in October with the release of Adobe XI, is. However, users first must enable the control, according to Adobe. The advisory explains how under the "Mitigations" section.
Adobe said its working on a fix for the two flaws.