Think twice before opening up a PDF document in Adobe. There is a new zero-day security flaw in Adobe Reader and Acrobat that bad guys are already exploiting.
Zero-day vulnerabilities in Adobe aren’t new – although every new vulnerability should be taken seriously – but security experts are saying that this particular flaw has an unusual twist. These are the first known attacks that escape the sandbox and protections schemes that Adobe had built into its software. This is a big deal because, according to InformationWeek:
The sandbox technology, added to Reader more than two years ago, was designed to ensure that even if attackers exploited a bug in Adobe’s software, they wouldn’t be able to gain access to the rest of the PC. That defense has now been defeated.
Just when you think you’ve taken a step ahead of the bad guys, they do something to outsmart the protection.
Adobe has been alerted to the problem and has put out a warning bulletin, stating that the vulnerability could cause the application to crash and could allow the attacker to take over the computer. The warning adds that users should avoid clicking on a PDF file that comes in an email because it may be malicious.
What else can you do? Rapid7’s Ross Barrett shared this advice with me:
The best mitigation is to remove Adobe Reader as the default PDF opening application from your web browser. That won’t make you completely secure, all PDF readers (likely) have vulnerabilities, but Adobe Reader is by far the most popular and therefore most targeted. Not to mention that this is a tough countermeasure of a large organization to roll out on short notice.
This security update, according to Kaspersky Lab’s ThreatPost blog, comes on the heels of security updates for Adobe’s Flash Player and Shockwave Player, which led Adobe to release an emergency patch, at least for the Flash Player.
If you see an update reminder from Adobe, it would be a very good idea to accept the patch immediately.