We have just posted Security Advisory APSA11-04 regarding a new vulnerability (CVE-2011-2462) that is currently being exploited in the wild in limited, targeted attacks against Adobe Reader 9.4.6 on Windows. Here is a summary of our approach to address this issue:
- We are planning to release an out-of-cycle security update for Adobe Reader and Acrobat 9.x for Windows no later than the week of December 12, 2011.
- Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit targeting this vulnerability from executing, we are planning to address this issue in Adobe Reader and Acrobat X for Windows with the next quarterly security update on January 10, 2012.
- The risk to Macintosh and UNIX users is significantly lower. We are therefore planning to address this issue in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update on January 10, 2012. An update to address this issue in Adobe Reader 9.x for UNIX is planned for January 10, 2012.
I’d like to take this moment to encourage any remaining users still running Adobe Reader or Acrobat 9.x (or worse, older unsupported versions) to PLEASE upgrade to Adobe Reader or Acrobat X. We put a tremendous amount of work into securing Adobe Reader and Acrobat X, and, to date, there has not been a single piece of malware identified that is effective against a version X install. Help us help you by running the latest version of the software!
Adobe would like to thank Lockheed Martin CIRT and members of the Defense Security Information Exchange for reporting this issue and for working with Adobe to help protect our customers.