Adobe Systems Inc. is warning of a new zero-day vulnerability in its popular Reader and Acrobat applications that is being actively targeted by attackers in the wild.
In an advisory released late Tuesday, Adobe acknowledged reports from several security vendors that a new malicious PDF file was discovered in some email attachments targeting the Adobe zero-day. Adobe said a remote code execution vulnerability is in Reader and Acrobat 9.2 and earlier versions.
"We are currently investigating this issue and assessing the risk to our customers," Adobe said. "We will provide an update as soon as we have more information."
Joji Hamada, a virus handler at Symantec Corp., said a source tipped off the firmof the possibility of a new PDF zero-day vulnerability. In the Symantec Connect security blog, Hamada said there are few known details about the
"The PDF files we discovered arrives as an email attachment," Hamada wrote. "When the file is opened, a malicious file is dropped and run on a fully patched system with either Adobe Reader or Acrobat installed."
Security experts have warned that attackers are favoring holes in Web-facing user applications to gain entry to enterprise systems. Adobe's Reader and Acrobat applications have been highly targeted as has Apple's QuickTime media player. Both applications offer browser plug-in functionality making them an attractive target. Other coveted entryways have been through holes in Adobe's Flash Player plug-in, which has a huge marketshare.
Adobe is analyzing the malcode targeting its latest flaw and said it would release more details as they become available. Hamada urged users to be extra cautious of file attachments during the holiday season. Don't open unknown file attachments, he said.
Danish vulnerability clearinghouse Secunia issued an advisory Tuesday, giving the Adobe vulnerability an extremely critical rating. The Secunia advisory warned that the flaw was being actively exploited.
Adobe Flash Player update
Last week, Adobe issued an update to Flash Player fixing seven serious vulnerabilities that could enable attackers to crash the player and take control of a victim's machine. The update repaired memory corruption errors, a data injection vulnerability and multiple crash flaws. Adobe urged users to update their Flash Player to version 10.0.42.34.