Adobe releases emergency patches for Reader and Acrobat

The security updates address two critical vulnerabilities already being exploited by attackers

Adobe released emergency patches for Adobe Reader and Acrobat 11, 10 and 9 on Wednesday that address two critical vulnerabilities being actively exploited by attackers.

The exploit was discovered by researchers from security firm FireEye in active attacks last Tuesday and was confirmed by Adobe one day later. It's particularly dangerous because it bypasses the sandbox anti-exploitation mechanism in Adobe Reader 10 and 11.

"Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux," the company said Wednesday in a security advisory. "These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system."

Users should update their Adobe Reader and Acrobat installations to the new versions released Wednesday as soon as possible. These are Adobe Reader and Acrobat 11.0.02, 10.1.6 and 9.5.4.

"Users on Windows and Macintosh can utilize the product's update mechanism," Adobe said. "The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates."

Before releasing the updates, Adobe recommended that users of Adobe Reader 11 turn on the Protected View feature as a temporary mitigation to the existing exploit by choosing the "Files from potentially unsafe locations" option under the Edit > Preferences > Security (Enhanced) menu. This is a protection mechanism only in Adobe Reader 11, but it isn't turned on by default.

Adobe Reader Protected View only allows a single function and that is to view a PDF document, said Heather Edell, Adobe's senior manager of corporate communications, Wednesday via email. "Turning Adobe Reader Protected View on by default would break existing workflows customers rely on and result in unexpected impact on a very significant number of users."

"That being said, we have been working closely with customers and partners since the release of Adobe Reader Protected View on finding ways to make these additional protections a default at some point in the future without the negative impact on such a large number of users," she said.

Tags patchesonline safetyAdobe SystemssecurityFireEyeExploits / vulnerabilities

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Fraud Management Solutions

Reduce fraud losses regardless of channel by preventing cybercrime, identity theft, and other threats targeting your customers.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.