One week after news broke of a zero-day vulnerability in its Reader PDF software, Adobe has issued an out-of-band patch to address the problem. Security experts advise users to install the update as soon as possible.
The Next Web’s Emil Protalinski reported, “Adobe on Wednesday released a security bulletin addressing a vulnerability in its Reader and Acrobat products discovered and being exploited exactly a week ago. The vulnerability in question could cause a crash of either and software and potentially allow an attacker to take control of the affected system.”
Brian Prince from eWeek noted, “The patch follows a warning from security firm FireEye last week that attackers were launching malicious PDFs at Windows users in a zero-day attack. According to FireEye, when the vulnerability was successfully exploited, it would deploy two Dynamic Link Library (DLL) files. The first would show a fake error message and open a decoy PDF document. The second file deployed a callback component that talked to a remote Internet domain. The attackers were able to bypass the Adobe Reader sandbox, FireEye’s senior director of security researcher, Zheng Bu, told eWEEK last week.”
Dark Reading’s Kelly Jackson Higgins observed, “The exploit used the two bugs to bypass Adobe Reader 10’s sandbox feature and to sneak past the Protected Mode sandbox in Reader XI — key security features Adobe had added to its apps to prevent malware from poisoned PDFs from spreading to other parts of the machine.”
Security Watch’s Max Eddy added, “The patch is recommended by Adobe for all users of Adobe Reader and Acrobat, XI and earlier. The update impacts Windows, Macintosh, and Linux users for versions 11.0.01, 10.1.5, 9.x, and earlier versions of Adobe’s software. The patch can be downloaded from Adobe’s website, or through the company’s automatic update feature.”