Adobe Warns Of Critical Flaw In Reader, Acrobat
Adobe says it will address the critical Reader and Acrobat vulnerability in a security update that it plans to release Oct. 13. Adobe maintains that thus far, the active exploits are limited to "targeted attacks" aimed at Reader and Acrobat 9.1.3 on Windows.
The upcoming Adobe patch is the second security update for both Reader and Acrobat this quarter.
While the vulnerability isn't dependent upon JavaScript, Adobe said in its security advisory that users might be able to mitigate the flaw by disabling the JavaScript function until a patch is released. Adobe also recommended that users keep antivirus products up to date. Meanwhile, Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista are protected against attacks exploiting the vulnerability, Adobe said.
SANS Institute researcher Johannes Ullrich said in a blog that Adobe users could also "clean" PDF documents by converting them into an alternative format, such as PostScript, and then turning them back into a PDF.
"However, this is not 100 percent certain to remove the exploit and you may infect the machine that does the conversion, as it will likely still use the vulnerable libraries to convert the document. But the likelihood of this happening is quite low," Ullrich said.
Adobe said it is collaborating with several antivirus and security vendors in order to address the security vulnerabilities.
Until the issue is resolved, users can monitor the latest information on the Reader and Acrobat flaw at the Adobe Product Security Incident Response Team blog.