SOFTWARE DEVELOPER Adobe has announced that it will release emergency patches for two vulnerabilities that were found in its Reader and Acrobat software last week.
The company said last Wednesday that it was investigating a report by security firm Fireeye, which had received "PDF files tainted with malicious software" that could take advantage of a newly discovered flaw.
"Adobe plans to make available updates for Adobe Reader and Acrobat XI for Windows and Macintosh, X for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux, during the week of February 18, 2013," the company said on Saturday in its security incident response team's blog.
The company also said it has updated an associated security advisory to include the planned schedule for a patch to resolve bulletins CVE-2013-0640 and CVE-2013-0641 in Reader for Windows, OS X and Linux.
The vulnerabilities were first discovered last Wednesday by Fireeye, which said in a blog post that it had identified a PDF zero day flaw that was being exploited in the wild.
"We observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1," Fireeye said in its blog.
Upon successful exploitation, the malicious code will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain.
However, further information regarding the flaws is not available, as both Fireeye and Adobe have agreed to not release any technical details of the zero day exploit to the public until the issue has been resolved. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted