The vulnerability exists in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6, and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh, Adobe explained in a security advisory.
The U3D memory vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the system. There are reports that this vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows, Adobe warned.
Adobe is taking a multistage approach to fixing the vulnerability. First, the company is planning to release an out-of-cycle security update for the software currently being exploited in the wild, that is, Adobe Reader 9.x and Acrobat 9.x for Windows. That will happen no later than the week of December 12.
The company explained that because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View prevent an exploit targeting this vulnerability from executing, it is planning to patch it in Adobe Reader X and Acrobat X for Windows with the next quarterly security update on January 10, 2012.
The risk to Macintosh and UNIX users is significantly lower, Adobe explained. Therefore, the company is planning to patch it in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update on January 10, 2012. An update to address this issue in Adobe Reader 9.x for UNIX is planned for January 10, 2012.
While users will be busy fixing this Reader and Acrobat vulnerability, they should beware that there is a spam email attack that is posing as an upgrade for Adobe Acrobat Reader and Adobe X Suite Advanced, warned Sophos. The emails have a ZIP file attached which contains a version of the Zeus trojan horse designed to steal banking information from compromised computers.
"Computer users need to learn that Adobe never sends out software updates as email attachments, and any legitimate upgrades should always be downloaded from Adobe's own website", said Graham Cluley, senior technology consultant at Sophos. "It's trivial for a malicious hacker to forge an email header to trick the unwary into believing an email has been sent from someone else – so just because it claims to be from Adobe, doesn't mean that it was sent by them", he added.