Adobe Systems is dealing with a new security vulnerability affecting the latest versions of Adobe Reader and Acrobat as the company continues work on a fix for another zero-day bug exposed earlier this month.
Attackers are exploiting
a new vulnerability affecting Adobe Systems' Reader and Acrobat software
in what are reportedly targeted attacks.
According to Adobe's Product
Security Incident Response Team blog
, the vulnerability impacts Adobe
Reader and Acrobat 9.2, and is being exploited in the wild.
"We are currently
investigating this issue and assessing the risk to our customers," the
company's security team said in a blog post.
Adobe began hearing
reports of the attack Monday afternoon, but it has been in the wild for nearly
a week. The malicious Adobe Acrobat PDF file arrives as an e-mail attachment,
and executes when opened. According to Symantec, which detects the malware as Trojan.Pidief.H
the rate of infection at the moment is low.
However, researchers with
, a volunteer security watchdog group, said that could change in
the near future.
"We can tell you that this
exploit is in the wild and is actively being used by attackers and has been in
the wild since at least
December 11, 2009," according to the Shadowserver
blog. "However, the number of attacks [is] limited and most likely targeted in
nature. Expect the exploit to become more widespread in the next few weeks and
unfortunately potentially become fully public within the same timeframe."
Both Shadowserver and the
concerned about the vulnerability.
In addition to the latest
bug, Adobe still has another zero-day to clear off its plate as well. Earlier
this year, proof-of-concept exploit code
the Web for a vulnerability in Adobe Illustrator CS4 and CS3 that can be
exploited to execute code via a malicious Encapsulated PostScript (.eps) file
in Illustrator. Adobe has said it plans to fix the issue in Illustrator by Jan.