Adobe PDF at risk from 0-day (again)

From the ‘PDFs Containing More Than Words‘ files:

Adobe issued a security advisory on Thursday warning of a currently unpatched (0-day) vulnerability in its PDF technologies, Adobe Reader and Acrobat.

A patch is currently targeted for October 13th, meaning millions of users around the world are now at risk for at least four days. To make matters even worse, Adobe’s advisory notes that they are aware of reports of Adobe Reader and Acrobat for Window being exploited in the wild. No that’s not good.

There are however a few work-arounds that users can enable in order to help mitigate the risks from this most recent exploit.

“Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista are protected from this exploit,” Adobe’s advisory states. “Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible.”

The advisory does not detail what the specific flaw is at this time.

This new zero day is at least the third such o-dayPDF issue this year for Adobe. In March, Adobe patched PDF on Windows for a flaw dealing with an image handling issue.

The second big flaw came in July and was related to Adobe’s Flash technology as well.

Even with a patch out on October 13th, in my view, there is reason for many people to still be concerned.

Security researchers earlier this year claimed that many Adobe users do not update their software to the latest patched version, even when a patch is available.

News Around the Web