Release date: December 6, 2011
Last updated: January 10, 2012
Vulnerability identifier: APSA11-04
CVE number: CVE-2011-2462
Platform: All
A critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Linux, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.
Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing.
Adobe recommends users of Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.2). Adobe recommends users of Adobe Acrobat X (10.1.1) for Windows and Macintosh update to Adobe Acrobat X (10.1.2). For more information please refer to Security Bulletin APSB12-01. Adobe recommends users of Adobe Reader 9.4.6 and earlier 9.x versions for Linux update to Adobe Reader 9.4.7. For more information, see Security Bulletin APSB11-30.
*Note: Adobe Reader for Android and Adobe Flash Player are not affected by this issue.
Adobe categorizes this as a critical issue.
A critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Linux, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh.
This U3D memory corruption vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in the wild in limited, targeted attacks against Adobe Reader 9.x on Windows. Adobe Reader X Protected Mode and Acrobat X Protected View mitigations would prevent an exploit of this kind from executing.
Adobe recommends users of Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.2). Adobe recommends users of Adobe Acrobat X (10.1.1) for Windows and Macintosh update to Adobe Acrobat X (10.1.2). For more information please refer to Security Bulletin APSB12-01. Adobe recommends users of Adobe Reader 9.4.6 and earlier 9.x versions for Linux update to Adobe Reader 9.4.7. For more information, see Security Bulletin APSB11-30.
Adobe would like to thank Lockheed Martin CIRT and members of the Defense Security Information Exchange for reporting this issue and for working with Adobe to help protect our customers.
January 10, 2012 - Advisory updated with information on Adobe Reader and Acrobat X (10.x) for Windows and Macintosh updates, and information on Adobe Reader 9.x for Linux update.
December 16, 2011 - Advisory updated with information on Adobe Reader and Acrobat 9.4.7 for Windows updates.
December 15, 2011 - Advisory updated with information on expected release date.
December 6, 2011 - Advisory released.
