In early December, Adobe issued a security bulletin
regarding new zero-day PDF-based attacks that took advantage of flaws
in its Reader and Acrobat programs, allowing a hacker to crash the
program and take control of the system.
The flaw was initially found to be in Reader and Acrobat versions 9.4.6 and X (10.1.1) on
all supported platforms, with a similar flaw later being found in Adobe's Flash Player, though in its security bulletin Adobe claims this is not the same issue as those in Reader and Acrobat.
Despite it being present in multiple platforms and software versions,
Adobe claimed the flaw was only being actively exploited in the Windows
versions of Acrobat and Reader. As a result, and because version 10.1.1
of the software contains enhanced security options that thwart the
exploit, Adobe only issued immediate updates for version 9.4.2 of Reader
and Acrobat for Windows.
The company claimed that it would address the flaw in other versions
of its software by releasing updates on January 10, 2012, so if you use
these software packages from Adobe, then be aware that an update will
likely be made available today. When the updates are released they can
be obtained on Adobe's product update downloads page, and also will be available via the Adobe Update Manager program if you have that installed.
Until these updates are finally released, if you are using Acrobat X
or Reader X (version 10 or above), you can secure this flaw by enabling
the program's enhanced security options by going to the program's
preferences, selecting the "Security (enhanced)" section, and then
checking the "Enable Enhanced Security" option. Even after applying
patches that correct this latest problem, it may be a good idea to keep
these enhanced security measures enabled.
