Adobe has issued a security advisory about a newly discovered and still unpatched vulnerability in Adobe Reader and Adobe Acrobat which is being used in "limited, targeted attacks in the wild".
Attackers can exploit the flaw to crash the affected systems and to potentially gain access to them.
The vulnerability, titled U3D Memory Corruption Vulnerability, was part of a targeted attack and discovered by Lockheed Martin’s computer incident response team.
The attack involved embedding a maliciously crafted Universal 3D (U3D) stream in a PDF file, one of several examples of attacks on embedded streams within PDF files, said Anat Davidi, researcher at M86 Security Labs.
Embedded stream attacks represent a growing attack vector due to their ability to deal with defence mechanisms, including data execution prevention (DEP) and address space layout randomisation (ASLR): two techniques meant to help prevent unauthorised code execution using known techniques such as just in time (JIT) compiler spraying, he said in a blog post.
The affected versions are Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh, but the reported attacks have targeted only Adobe Reader 9.x on Windows, the software firm said.
Adobe expects to make available an out-of-cycle update for Adobe Reader and Acrobat 9.x for Windows no later than the week commencing 12 December 2011.
"Focusing this release on just Adobe Reader and Acrobat 9.x for Windows also allows us to ship the update much earlier," said Brad Arkin, Adobe's director of product security and privacy.
"Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X and Acrobat X for Windows, with the next quarterly security update for Adobe Reader and Acrobat currently scheduled for 10 January 2012,” the company said.
Adobe Reader and Acrobat X and earlier versions for Macintosh and Adobe Reader 9.x for Unix are also scheduled to be delivered on 10 January 2012.
Arkin is urging Adobe Reader and Acrobat users to upgrade to the 10.x version. "We put a tremendous amount of work into securing Adobe Reader and Acrobat X, and, to date, there has not been a single piece of malware identified that is effective against a version X install. Help us help you by running the latest version of the software!" he said.