Adobe Systems is prepping a patch for a zero-day bug affecting its Reader and Acrobat software for release by Jan. 12.
The vulnerability is considered critical by Adobe and impacts the latest versions of Adobe Reader and Acrobat for Windows, Macintosh and Unix systems. Earlier editions are affected as well. The company has not released much information about the bug, but it is known to be under attack via malicious PDF files.
If exploited, the vulnerability could cause a crash or allow an attacker to execute code. According to Adobe and security researchers from the SANS Institute and The Shadowserver Foundation, users in search of a fix can disable JavaScript. Customers using Microsoft DEP (Data Execution Prevention) are at reduced risk in certain configurations. With the DEP mitigation in place, the impact of this exploit has been reduced to a denial of service, according to Adobe.
“There are reports that this vulnerability is being actively exploited in the wild … Adobe recommends that you keep your anti-malware software and definitions up-to-date and monitor releases from your vendor about this issue,” Adobe Security Program Manager David Lenoe wrote on the company’s Product Security Incident Response Team blog Dec. 15.
Adobe has said it will patch another vulnerability in January as well. That bug impacts Adobe Illustrator CS4 and CS3, and can be exploited to execute code via a malicious Encapsulated PostScript file in Illustrator. Proof-of-concept exploit code has already been published on the Web.