14 DAY TRIAL // Adobe plans to ship a fix for the actively exploited critical vulnerability in Adobe Reader and Acrobat during the week of October 4.
The remote code execution flaw, identified as CVE-2010-2883, was confirmed by Adobe last Wednesday after being spotted in attacks infecting users with malware.
The exploit employs advanced techniques such as return-oriented programming, which defeat ASLR and DEP protection in Windows Vista and 7.
In addition, the the payload involves dropping a piece of malware that was digitally signed with a valid certificate stolen from a US-based credit union.
"We are in the process of finalizing a fix for the issue and expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010," Adobe says in the associated advisory.
This represents an accelerated release of the quarterly update originally scheduled for October 12 and will also address a separate critical vulnerability affecting the Adobe Reader Flash interpreter (authplay.dll).
This second vulnerability (CVE-2010-2884) is also being exploited at the moment to infect computers and will be fixed in Flash Player in around two weeks.
However, attackers will still be able to exploit it by embedding malicious SWF content in PDF documents until the Adobe Reader update lands.
Over a year ago Adobe introduced a uniform quarterly update cycle for Reader and Acrobat, in order to make it easier for system administrators to plan patching in corporate environments.
The program didn't prove as successful as the company hoped, since it was forced to break out of the cycle and reschedule releases several time until now.
One solution might be the sandbox feature planned for the next major version of Adobe Reader, which is expected to make exploitation significantly harder.
In the meantime, Microsoft provides mitigation for this particular PDF exploit through its Enhanced Mitigation Evaluation Toolkit (EMET).