Adobe patched a critical Flash bug in Adobe Reader a few days earlier than expected. Rogue PDF files exploiting the bug have recently been detected in the wild, Adobe said.
This is Adobe’s second out-of-band update to address a Flash Player zero-day vulnerability in the past month. After a round of frenzied patching in March, Adobe updated Flash Player again on April 15. While the company had had initially promised updates for Adobe Reader and Acrobat the week of April 25, it beat its own deadline by delivering the patch on April 21.
The update is for users with Adobe Reader X (10.0.2) for Macintosh, Adobe Reader 9.4.3 for Windows and Macintosh, Adobe Acrobat X (10.0.2) for Windows and Macintosh, and Adobe Acrobat 9.4.3 for Windows and Macintosh installed.
Adobe Reader on Android is not affected and will not be patched. Adobe Reader X for Windows blocks the Flash code from executing because of its Protected Mode sandbox technology. As a result, Adobe will patch Reader X on June 14 as part of its regular security update. The Flash fix for Android is still expected to be ready the week of April 25, as Adobe previously announced.
Adobe disclosed the latest Flash bug last week after an independent security researcher found malicious Flash files embedded in Word and Excel files in the wild. New exploits with Flash code in PDF files appeared shortly after the initial advisory was posted, according to Adobe.
“There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat,” Adobe said in today’s security advisory.
The latest rogue PDF files carry filenames referring to China, Russia, the Obama administration and the Middle East, according to Mila Parkour, the security researcher who reported the initial flaw to Adobe. The files are attached to email messages purportedly from New York Times editors, Parkour wrote on her Contagio Malware Dump blog.
The exploits are using recent news events to trick users into opening files, such as pretending to have information regarding Japan’s Fukushima nuclear reactor, China’s trade policies or the political turmoil in the Middle East.
When a user opens the infected file and triggers the rogue Flash code, a remote attacker can take complete control of the system. The attacker can access and steal user data or crash the user’s machine in a denial of service attack, Parkour said.
The latest updates also fixed a second vulnerability (CVE-2011-0610) that Adobe said has not yet been exploited by attackers. The memory corruption vulnerability in Acrobat and Reader’s CoolType library could result in code execution if exploited, Adobe said. The library processes TrueType fonts in PDF files.
Adobe patched another zero-day vulnerability in March that was also exploited by malicious Flash code inside an Excel document. Despite the similarity in the exploits, the two Flash vulnerabilities are unrelated and were found in different parts of the code, according to Adobe.
Adobe categorized the updates as “critical” and recommended users update their software immediately.