Adobe kills two actively exploited bugs in Reader
Adobe has released updates for its Reader and Acrobat applications that fix two vulnerabilities that attackers were exploiting to seize control of Windows-based machines.
Version 9.4.6 of the programs fix two memory-corruption bugs that Adobe says are “being actively exploited in limited, targeted attacks in the wild” against machines running Windows. The same bugs are present in Mac and Unix versions of the applications, but there are no reports of machines running them being exploited. The bugs are also present in Reader X for Windows, but a security sandbox, which Adobe added last year to minimize the damage that results from code flaws, prevents the attacks from working.
As a result, those versions will be updated next month, during a regularly scheduled patch release.
Adobe warned of the attacks earlier this month in an advisory that credited military contractor Lockheed Martin and the Defense Security Information Exchange. A day later, researchers from antivirus provider Symantec warned that email-born attacks exploiting the flaw to install the Backdoor.Sykipot were detected as early as November 1. The vulnerability in the U3D, or Universal 3D, file format is identified as CVE-2011-2462.
On Friday, Adobe said a second vulnerability – in an RPC, or remote procedure call, component – was also under attack. It’s identified as CVE-2011-4369. Adobe representatives provided no other details of the vulnerability, except to say they are “only aware of one instance” of it being used. ®