Adobe is warning that attackers are exploiting critical flaws in its PDF Reader and Acrobat software to break into vulnerable systems, and that the exploit being used in attacks evades the sandbox protection built into these products.
The company issued an advisory about the threat on Wednesday, which confirms many of the details first disclosed by security firm FireEye earlier this week. FireEye has since posted a follow-up blog entry that sheds some additional light on how this attack works.
According to Adobe, there are two vulnerabilities in play here, and they exist in the latest versions of its software, including Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier for Windows and Macintosh, and Adobe Reader 9.5.3 for Linux.
Adobe says it is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message. The software maker added that it is in the process of working on a fix for these issues.
In the meantime, Windows users of Adobe Reader XI and Acrobat XI can protect themselves from the security exploit by turning on Protected View, as follows: To enable this setting, choose the “Files from potentially unsafe locations” option under the Edit > Preferences > Security (Enhanced) menu.
For those spooked enough to avoid Adobe until a fix is available, there are several other free PDF reader programs available. I have been using Sumatra PDF for some time, and prefer it because it seems very lightweight and fast. Foxit Reader is another popular alternative.