Adobe is plugging critical security holes in its Adobe Reader X and earlier versions for Windows and Macintosh, and Adobe Acrobat X and earlier versions for Windows and Macintosh, as part of its quarterly patch update.
The update includes fixes for two zero-day flaws – CVE-2011-2462 and CVE-2011-4369 – in Adobe Reader and Acrobat 9.x for Windows patched on Dec. 16. Symantec had noted that CVE-2011-2462 was being actively exploited in email-based attacks against critical infrastructure industries designed to infect computers with the Backdoor.Skyipot virus.
“There have been reports of two critical vulnerabilities being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows. These vulnerabilities (CVE-2011-2462, referenced in Security Advisory APSA11-04, and CVE-2011-4369) could cause a crash and potentially allow an attacker to take control of the affected system”, Adobe warned in its Dec. 16 security bulletin.