Adobe Systems released a patch today to plug a security hole affecting Adobe Reader that is on the radar of attackers.
The update actually fixes two vulnerabilities, though only one is known to be under attack. That vulnerability-a flaw affecting Adobe Reader 9.4.1 and earlier 9.x versions for Windows, Unix and Mac OS X-had been targeted by attackers for the past few weeks. The problem is actually in Reader’s authplay.dll component, which is used to render Flash content in PDF files. Adobe first warned users about the bug Oct. 28 and patched the vulnerability in Flash Player earlier this month.
The vulnerability, CVE-2010-3654, could be used to cause a crash and potentially allow an attacker to take control of the affected system, Adobe said in its advisory.
The other issue fixed in the update is a denial-of-service bug. An Adobe spokesperson said the company has not seen any exploit in the wild targeting the bug yet. However, proof of concept code was posted on the Full Disclosure mailing list.
“Adobe recommends users of Adobe Reader 9.4 and earlier versions for Windows and Macintosh update to Adobe Reader 9.4.1, available now,” the company said in the advisory. In addition, “Adobe recommends users of Adobe Reader 9.4 and earlier versions for Unix update to Adobe Reader 9.4.1, expected to be available on November 30, 2010 … [and] users of Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh update to Adobe Acrobat 9.4.1.”