Adobe released a Security Advisory (APSA11-04) which references a critical vulnerability in Adobe Reader X and Adobe Acrobat X (10.1.1) and earlier versions for all versions.
The vulnerability relates to a memory corruption vulnerability which could cause a crash and potentially allow an attacker to take control of the affected system. Adobe indicates that there are reports that the vulnerability is being actively exploited in the wild in limited, targeted attacks against Adobe Reader 9.x on Windows.
An update for Adobe Reader and Acrobat 9.x only for Windows is expected no later than the week of December 12, 2011. Adobe plans on updating all other versions as part of the next quarterly update scheduled for January 10, 2011. According to Adobe, Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing.
AlternativesSeveral years ago, I tired of Adobe Reader and switched to Sumatra PDF, an alternate PDF reader. After I got past the bright yellow GUI, I found Sumatra PDF to be a nice, light-weight option with no unnecessary add-ons or toolbars. There are a number of open source readers available from http://pdfreaders.org/.
- Release date: December 6, 2011
- Vulnerability identifier: APSA11-04
- CVE number: CVE-2011-2462
- Platform: All
- Security Advisory: Security Advisory for Adobe Reader and Acrobat
- PSIRT Blog: Security Advisory for Adobe Reader and Acrobat (APSA11-04)