Adobe's Reader Under Attack....

October 2009

Attackers once again are targeting an unpatched vulnerability in Adobe Reader that allows them to take complete control of a user’s computer, the software maker warned. Adobe said it planned to patch the critical security bug in Reader and Acrobat 9.1.3 for Windows, Mac and Unix on Tuesday, the date of the company’s previously scheduled patch release for the PDF reader. According to Security Focus here, attackers can exploit the vulnerability by tricking a user into opening a booby-trapped PDF file. “Successful exploits may allow the attacker to execute arbitrary code in the context of a user running the affected application,” the security site warned. “Failed attempts will likely result in denial-of-service conditions.” The bug is presently being exploited in “limited targeted attacks,” Security Focus added, without elaborating. Adobe said only that the attacks target Reader and Adobe running on Windows operating systems. Those using Windows Vista with a feature known as data execution prevention enabled are safe from the exploit. Users on other platforms can insulate themselves from the current attack by disabling java_script from running inside the application, but Adobe warned it’s possible to design an exploit that works around that measure.