Adobe is planning to ship an update a week from today that fixes a critical vulnerability in its free and widely used PDF Reader program. Unfortunately, according to experts, criminal hackers are starting to step up attempts to exploit the flaw and install malicious software via poisoned PDFs.
The SANS Internet Storm Center warns that it is beginning to get submissions of malicious PDFs from experts in the field. It’s difficult to say how likely it is that your average Web user would encounter one of these nasty PDFs, although I would not be at all surprised to see the bad guys taking greater advantage of the situation between now and next Tuesday.
Longer term, it looks like Adobe is planning to include functionality that will silently patch security holes without any user action. Currently, Adobe Reader ships with an component that prompts users to install updates, but of course plenty of users ignore that warning over and over again. Given the ubiquity of this program, I see this as a positive development overall, provided Adobe doesn’t squander a security opportunity by pushing “extras,” such as third-party toolbars or trial programs.