Critical Adobe Reader Vulnerability Exploited in the Wild

Adobe warns that a new critical zero-day vulnerability affecting its Reader and Acrobat products is actively being exploited in the wild to compromise computers.

The company has published a Security Advisory about the flaw, identified as CVE-2010-2883 and for which public exploit code is available.

"A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.

"This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild," Adobe writes.

There are no mitigation instructions available at the moment, but the company is working with security vendors to add detection for the exploit in their products. Therefore, users are strongly encouraged to keep their antivirus programs up to date.

Adobe thanks malware researcher Mila Parkour, who maintains the Contagio malware dump blog, for reporting the attack and working with its security team on the issue.

Meanwhile, the company is looking into scheduling a security update to resolve this vulnerability, which will probably be released out of band.

Since July 2009 Adobe Reader and Acrobat are supposed to follow a uniform quarterly update cycle, but the developer was forced to break out of it in order to patch zero-day flaws four times already.

The next scheduled update is expected to land on October 12, which is still over a month away, way too long to keep an actively exploited security hole open.

The company also has the option of rushing the scheduled update and releasing it earlier. This solution has the benefit of not having to go through the lengthy quality assurance process twice during a short period of time and Adobe has opted for it before.