An unpatched bug in popular PDF viewing and editing applications is much more dangerous than first thought, according to security researchers who have created exploits that sidestep Adobe's defensive recommendations.
Adobe Systems has known about the vulnerability in its Reader and Acrobat software since mid-January, but will not patch the problem until Wednesday, March 11.
[ See also: "Adobe to patch Flash vulnerabilities for three platforms" and "Adobe flaw has been used in attacks since early January" | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
The bug first made news two weeks ago, when Adobe confirmed the problem and pegged it as critical. Within days, other reports surfaced that in-the-wild attacks have exploited the flaw since early January.
"Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability...just like it would when you would explicitly open the document," Stevens said in a blog post.