Reports indicate that the latest security vulnerability, for which Adobe released a security advisory this week, is already being exploited in the wild.
The security advisory exposes a hole in Adobe Acrobat and Acrobat Reader. The security vulnerability, which enables attackers to craft Javascript within a malicious PDF file, can crash the system and enable the attackers to take control of a PC or a Mac. The security bug affects versions 9.2 of Acrobat and Acrobat Reader for the Windows, Mac, and UNIX platforms.
Adobe updated its advisory to post a planned patch date for the security vulnerability, stating that it will be fixed on January 12, essentially giving the blackhat community a whole month to exploit it (and longer, for those users who fail to implement the patch).
However, there are workarounds in the meantime. "Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability", the Adobe advisory said.
It added that those Windows users able to take advantage of the operating system's data execution prevention (DEP) feature would be at reduced risk. They would only suffer a denial of service attack, rather than facing complete ownership of their system, Adobe said.
HD Moore, author of the Metasploit penetration testing toolkit, posted a message on Twitter on Tuesday, saying: "Adobe PDF 0.9-day added to Metasploit", along with instructions for implementing it. This suggests that attacks using the security vulnerability will become widespread long before the exploit is patched.
Users can also turn off their Javascript functionality altogether - a measure which would also have helped with another Acrobat zero-day security flaw, found earlier this year. This has been the latest in a long list of critical Adobe zero-day errors found in 2009.