Adobe released emergency patches for Adobe Reader and Acrobat 11, 10 and 9 yesterday that address two critical vulnerabilities being actively exploited by attackers.
The exploit was discovered by researchers from security firm FireEye in active attacks last week and was confirmed by Adobe one day later. It's particularly dangerous because it bypasses the sandbox anti-exploitation mechanism in Adobe Reader 10 and 11.
"Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux," the company said in a security advisory. "These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system."
Users should update their Adobe Reader and Acrobat installations to the new versions released yesterday as soon as possible. These are Adobe Reader and Acrobat 11.0.02, 10.1.6 and 9.5.4.
"Users on Windows and Macintosh can utilise the product's update mechanism," Adobe said. "The default configuration is set to run automatic update checks on a regular schedule. Update checks can be manually activated by choosing Help > Check for Updates."
Before releasing the updates, Adobe recommended that users of Adobe Reader 11 turn on the Protected View feature as a temporary mitigation to the existing exploit by choosing the "Files from potentially unsafe locations" option under the Edit > Preferences > Security (Enhanced) menu. This is a protection mechanism only in Adobe Reader 11, but it isn't turned on by default.
Adobe Reader Protected View only allows a single function and that is to view a PDF document, said Heather Edell, Adobe's senior manager of corporate communications. "Turning Adobe Reader Protected View on by default would break existing workflows customers rely on and result in unexpected impact on a very significant number of users."
"That being said, we have been working closely with customers and partners since the release of Adobe Reader Protected View on finding ways to make these additional protections a default at some point in the future without the negative impact on such a large number of users," she said.