Users of Adobe PDF Reader should check they are running the latest version of the software after the discovery of an exploit that takes advantage of a serious flaw patched only three weeks ago.
According to Microsoft's Threat Research and Response blog, its researchers have discovered a circulating PDF-based attack that hooks into the publicised flaw, CVE-2010-0188, to download a Trojan backdoor capable of taking control of the affected system.
[ Security vendor McAfee predicted Adobe's Flash and Acrobat Reader will become the preferred targets for hackers in 2010. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]
The warning relates mainly to Adobe Acrobat and Reader up to 9.3.0 for Windows, Apple and Unix. older versions of Acrobat and Reader, 8.2.0 (used by anyone unable to update to 9.3.x), are also affected on Windows and Apple and should be patched to 8.2.1.
Anyone running the latest version of Acrobat or Reader, 9.3.1, is immune to the issue which was patched with unusual haste on by Adobe on 16 February. By reacting so quickly, Adobe seems to have learned the lessons of the last year when it tended to patch only in regular cycles, which often left users exposed to emerging exploits for inconvenient periods to time. It also issued the patch as an automatic update -- activated without user intervention -- rather than rely on the manual update process.
The concern is that the recent date of the update makes it likely that a large number of users will still be running older and vulnerable versions of the software. How quickly the 9.3.1 version is pushed to desktops will depend on the system in question and which version it uses as 'current'.
Ironically, in the same week the Acrobat/Reader vulnerability was patched, Adobe also had to issue a separate update for Download Manager, a utility used to manage direct downloads from the company's website.
The latest version of affected Adobe software can be downloaded here.