Adobe PDF at Risk From Zero-Day Vulnerability
New attack on Adobe products is out in the wild and there is no patch.
Users of Adobe Reader and Acrobat PDF documents could be at risk from a new zero-day vulnerability, with the company saying it has gotten reports that the flaw is currently being exploited in the wild.
Adobe (NASDAQ: ADBE) has not yet released a full advisory detailing the security issue, but has issued a brief statement on its security blog.
"Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild (CVE-2009-4324)," Adobe's David Lenoe wrote on the Adobe Product Security Incident Response Team (PSIRT) blog. "We are currently investigating this issue and assessing the risk to our customers."
According to security researchers at the Shadowserver Foundation, the new Adobe PDF vulnerability has been circulating the Internet and resulting in exploits since Dec. 11.
"I could recommend that you don't open any malicious PDFs," Johannes B. Ullrich, a SANS Security researcher, wrote in a blog post. "But it would probably be as useful to go and hide in a cave until all Adobe bugs got fixed."
This isn't the first time Adobe Reader and Acrobat have been targeted this year by attackers, with Adobe warning for zero-day flaws in Reader and Acrobat at least three times so far in 2009.
In July, Adobe reported a second zero-day flaw. The third set of zero-day PDF flaws appeared in October, which in turn were fixed as part of a sweeping array of fixes for 29 flaws from Adobe that same month.
Sean Michael Kerner is a senior editor at InternetNews.com, covering Linux and open source, application development and networking.