If we could tell the hackers out there to take a break, we seriously would! We mean, come on, the holidays are at our doors and the last thing we’d want to do right now is deal with hacks and attacks. But we know this isn’t a possibility and a recent attack on Adobe in the first week of this month has proved just that.
Unknown hackers had launched “limited, targeted attacks” against high-value Windows users, exploiting a zero-day vulnerability in Adobe’s PDF Reader software. The attacks were observed in the wild against Windows users running Adobe Reader version 9.4.6, according to a warning from Adobe, and we assume an emergency patch for Adobe Reader and Acrobat 9.x for Windows has already been released because Adobe had planned to ship it “no later than the week of December 12, 2011.” Adobe has rated this issue as a “critical” one that currently haunts Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. And the company has warned that this vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe’s newer Reader X software also has the vulnerability but there are anti-exploitation roadblocks in that version. That explains why the company is in no hurry to release Reader X updates.
But then why is Windows on its high priority list? Look at what Adobe security chief, Brad Arkin, has to say about that, “The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted. All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows. We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE).” Focusing this release on just Adobe Reader and Acrobat 9.x for Windows also allows Adobe to ship the update much earlier, thus mitigating threats.
Likewise, Arkin has also made a plea to Adobe users to upgrade to the latest and greatest versions. It goes on as follows:
I’d like to take this moment to encourage any remaining users still running Adobe Reader or Acrobat 9.x (or worse, older unsupported versions) to PLEASE upgrade to Adobe Reader or Acrobat X. We put a tremendous amount of work into securing Adobe Reader and Acrobat X, and, to date, there has not been a single piece of malware identified that is effective against a version X install. Help us help you by running the latest version of the software!
So are you up for the upgrade? Get it here!