Urgent! Adobe users told to patch Reader and Acrobat against zero-day attacks

Graham Cluley

Adobe has warned computer users to update their installations of Adobe Reader and Acrobat as a matter of urgency, after it was discovered that malicious hackers were exploiting a critical zero-day vulnerability in targeted attacks.

According to the software company, it is “aware of evidence that indicates an exploit in the wild is being used in limited, isolated attacks targeting Adobe Reader users on Windows.”

The Mac versions of Acrobat and Reader are said not to be at risk.

If exploited, the CVE-2014-0546 allows attackers to bypass the sandbox and run malicious code with escalated privileges on the targeted Windows PC.

In response, Adobe has issued a security bulletin, recommending that users update their software at the earliest opportunity.

  • Users of Adobe Reader XI (11.0.07) and earlier versions for Windows should update to version 11.0.08.
  • For users of Adobe Reader X (10.1.10) and earlier versions for Windows, who cannot update to version 11.0.08, Adobe has made available version 10.1.11.
  • Users of Adobe Acrobat XI (11.0.07) and earlier versions for Windows should update to version 11.0.08.
  • For users of Adobe Acrobat X (10.1.10) and earlier versions for Windows, who cannot update to version 11.0.08, Adobe has made available version 10.1.11.

Security researcher Costin Raiu blogged that the attacks are currently “very limited” in number, but – of course – that’s going to be no consolation if you are one of the unfortunate organisations that finds itself in the sights of the hackers exploiting the flaw.

Raiu cautioned that even though the attacks were “very rare”, it was still recommended that all users update their computers “as soon as possible”.

By default, Adobe Reader should update itself automatically – but many users have reported in the past that they have had to wait a disturbing length of time before they receive notification that a new version is available.

For that reason, I would recommend that organisations and end users check via the Help menu if there is a newer version available.

Separately, Adobe has announced a raft of critical security vulnerabilities in another of its flagship products – Adobe Flash.

In a security bulletin about the Flash security flaws, Adobe said that it was not aware of any of them being exploited in the wild.

Windows, Mac and Unix users of Flash Player and Adobe AIR are advised to protect against the flaws – most of which have been given Adobe’s highest severity level – as soon as possible.

Adobe, of course, is no stranger to hackers exploiting flaws in its software, and has itself been on the receiving end of major security incidents.

Although I might not be as dramatic as The Register, which reported the news of Adobe’s security patches with a warning that you only have “three days to patch”, I would agree that if you can’t get your systems patched and updated within 72 hours, you certainly have a serious problem.

Updates and security patches are a part of everyday life, as every IT administrator knows. The trick is to have systems in place which allows you to manage the process effectively, without negatively impacting on the regular work of your organisation’s staff.

This article originally appeared on the Optimal Security blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES