One of the vulnerabilities (CVE-2011-2462) was announced by Adobe on Dec. 6. After that announcement, Symantec said that the flaw was being actively exploited in email-based attacks against critical infrastructure industries designed to infect computers with the Backdoor.Skyipot virus.
Adobe subsequently learned about a second vulnerability (CVE-2011-4369) that was also being exploited in the wild.
“There have been reports of two critical vulnerabilities being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows. These vulnerabilities (CVE-2011-2462, referenced in Security Advisory APSA11-04, and CVE-2011-4369) could cause a crash and potentially allow an attacker to take control of the affected system”, Adobe said in its Dec. 16 security bulletin.
The update plugs these flaws in Adobe Reader and Acrobat 9.x for Windows. Adobe said that users of Adobe Reader 9.4.6 and earlier 9.x versions for Windows should update to Adobe Reader 9.4.7 and users of Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows should update to Adobe Acrobat 9.4.7.
The company reiterated its plan to wait until the next quarterly security patch update on January 10, 2012, to fix these vulnerabilities in Adobe Reader X and Acrobat X for Windows and Mac because the protected mode in these versions prevent an exploit targeting these vulnerabilities from executing.