Today we reported about a critical, zero-day vulnerability affecting the latest Adobe PDF Reader versions 9.5.3, 10.1.5, and 11.0.1. Researchers at FireEye had sent samples of this newly uncovered vulnerability to Adobe. As per a security advisory by Adobe, a fix is on its way.
In its security advisory, Adobe acknowledges the critical vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Macintosh. So critical are these vulnerabilities that they could cause the application to crash and allow an attacker to control the affected system.
Working on a fix..
In its security advisory, Adobe lists down the affected software versions and these include:
- Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
- Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
- Adobe Reader 9.5.3 and earlier 9.x versions for Windows and Macintosh
- Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
- Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
- Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh
Importantly, Adobe advises users of Adobe Reader XI and Acrobat XI for Windows to enable Protected View to protect themselves from this exploit. Choose the “Files for potentially unsafe locations” option under the Edit> Preferences> Security (Enhanced) menu.
FireEye researchers, in an official blog post added that if successful, the vulnerabilities will drop two DLLs. The first DLL, reportedly will show a fake error message and open a 'decoy' PDF document. “The second DLL in turn drops the callback component, which talks to a remote domain,” the report adds.
Till a fix is issued, users have been advised not open any unknown PDF files. In an update to the post, FireEye adds, “In response to the many requests we’ve received for more detailed information, we would like to let our readers know that we have been working with Adobe and have jointly agreed to refrain from posting the technical details of the zero-day at this time. This post was intended to serve as a warning to the general public. We will update this post with more information at a later time.”
Only last week, Adobe released a security patch for a rather critical vulnerability that could allow an attacker to take control of the complete system. The security updates have been released for Flash Player for Windows, Macintosh, Linux, and Android. Adobe states that the vulnerability is quite serious and advises users to update Flash as soon as possible.
The fixes come in the wake of reports of a vulnerability, CVE-2013-0633, being exploited. The exploit is designed to trick users into opening a Microsoft Word document that's delivered as an email attachment and contains malicious Flash (SWF) content. The exploit for the CVE-2013-0633 vulnerability targets the ActiveX version of Flash Player on Windows.