A zero-day exploit for Adobe Reader has been making the rounds since yesterday. From Adobe’s advisory:
A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.
McAfee has some more details. While the vulnerability isn’t widely exploited yet, more malware using this bug is expected soon. Since Adobe Reader is installed on a huge number of machines, this is an interesting target for attackers.
Two other factors might make this even worse: first, many users tend to ignore updates for these kinds of products, and second, there is no update available yet. Adobe has announced that updates for Adobe Reader 9 are scheduled for march 11th, with updates for versions 8 and 7 following later.
This is a good reminder not to ignore security updates for non-Microsoft products. If the update from Adobe becomes available, be sure to install it. And while you’re at it, give Secunia’s PSI a try. According to them 98% of all PC’s are running software with known vulnerabilities!