A zero day is hitting Adobe with the vulnerability in Adobe Reader and defense contractors seem to be suffering from the exploitation the most.
Adobe said it will patch the bug in the Windows edition of Reader and Acrobat 9 no later than the end of next week. Tuesday, Dec. 12 is also Microsoft’s regularly-scheduled Patch Tuesday for the month. This will be Adobe’s sixth patch for Reader and Acrobat this year.
“A critical vulnerability has been [found] in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh,” Adobe said. “This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.”
The company did issue a security advisory.
Right now the vulnerability is going through “limited, targeted attacks” against Reader 9.x on Windows, Adobe said, but company officials did not provide any additional information about where and when the attacks were occurring.
Adobe identified the bug as a “U3D memory corruption vulnerability,” U3D, which stands for “universal 3D,” is a compressed file format standard for 3-D graphics data promoted by a group of companies, including Adobe, Intel, and Hewlett-Packard.
Attackers usually exploit Reader vulnerabilities by using malicious PDF documents attached to email messages with baited subjected heads that try to dupe recipients into opening the document.
Doing that also executes the malicious code — in this case, likely malformed U3D data — hidden in the PDF, compromising the victim’s PC and letting the attacker infect the machine with other malware.
The attacks exploiting the unfixed flaw may have targeted U.S. defense contractors: Adobe originally credited the security response teams at Lockheed Martin and MITRE with reporting the vulnerability.
Lockheed Martin is one of the U.S.’s largest aerospace and defense contractors, and manufactures the F-22 Raptor fighter jet and won the contract to build the F-35 Lightning II, the planned successor to the F-16 Falcon aircraft.
MITRE manages several research centers funded by U.S. government agencies, including the National Security Engineering Center for the Department of Defense, and the Center for Advanced Aviation System Development for the Federal Aviation Administration (FAA).
Lockheed Martin was in the computer security news last May when it admitted it had been the target of a “significant and tenacious [cyber]attack,” which was allegedly conducted by leveraging information stolen several months earlier from RSA Security.
While a patch for Reader and Acrobat 9 will reach users next week, Adobe said it will not deliver fixes for Reader and Acrobat 10 for Windows, as well as all versions for Mac OS X and Unix, until Jan. 10, 2012.
Adobe said Reader 10, also called Reader X, includes anti-exploit “sandbox” technology that isolates the application from the rest of the computer, and thus blocks the exploit now in circulation.
The company said that the risk to Macintosh and Unix users was “significantly lower” because attacks have been spotted targeting only Windows PCs.