Adobe patches two vulnerabilities in Reader and Acrobat

Adobe releases out-of-band patch for Adobe Reader and Acrobat 9.x in order to address actively exploited vulnerabilities

Adobe Systems has released Adobe Reader and Acrobat 9.4.7 in order to patch two vulnerabilities that are being actively exploited in attacks against companies from the defense industry.

One of the security flaws, identified as CVE-2011-2462, was announced on Dec. 6 after Lockheed Martin's Computer Incident Response Team and members of the Defense Security Information Exchange reported it to Adobe.

[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]

Symantec confirmed a few days later that the vulnerability had been exploited since the beginning of November in email-based attacks that targeted companies from the telecommunications, manufacturing, computer hardware, chemical and defense industries.

Since the original advisory was published last week, Adobe has learned of a second vulnerability that was also being exploited in the wild. The company assigned an identifier of CVE-2011-4369 to the new flaw, but it's not clear if it's related to the same attacks as the first one.

"The Adobe Reader and Acrobat team was able to provide a fix for this new issue as part of today's update. Note also that at this time, we are only aware of one instance of CVE-2011-4369 being used," said Wiebke Lips, Adobe's senior manager of corporate communications.

Even though the vulnerabilities also affect the Adobe Reader and Acrobat X (10.x) branch, Adobe decided to postpone updates for these versions until the next scheduled update cycle on Jan. 10.

"Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of the type currently targeting these vulnerabilities (CVE-2011-2462 and CVE-2011-4369) from executing, we are planning to address these issues in Adobe Reader and Acrobat X for Windows with the next quarterly security update," the company said in a security bulletin published today.

Updates for Adobe Reader 9.x for Unix will also be released on Jan. 10, because the attacks are not considered an immediate threat to Unix users. Users of the Windows 9.x versions are strongly encouraged to upgrade to Adobe Reader and Acrobat 9.4.7 in order to protect their computers.

Copyright © 2011 IDG Communications, Inc.