It was a relatively quiet Patch Tuesday for Microsoft this month, with just one security update being issued for Windows users (and even then, it was only rated “critical” for users of Windows 2000).
But it was a different matter entirely for Adobe, who on the same day issued fixes for multiple vulnerabilities in its Adobe Reader and Adobe Acrobat software, one of which has been actively exploited by hackers (and detected by Sophos as Troj/PDFJs-FS since mid-December).
If you’re a user of Adobe Reader and Acrobat (and, let’s face it, most of you are) then please go and read the security bulletin, and download the updated versions right now.
Of course, it was possible to protect yourself against the Adobe zero-day attack even before a patch was available by disabling JavaScript in Adobe Reader.
All you had to do was adjust the appropriate option under the Edit / Preferences menu:
Unfortunately judging by a recent interview given by Brad Arkin, Adobe’s security chief, it doesn’t look like you should hold your breath for JavaScript support to be removed from Adobe’s PDF reader.
Malicious PDFs are one of the favoured methods used by the bad guys to launch a spear-phishing or targeted attack against companies – so the best way to protect your business is to ensure that you have proper security in place, and are running a fully-patched version of Adobe’s products.