Urgent! Adobe users told to patch Reader and Acrobat against zero-day attacks

Urgent! Adobe users told to patch Reader and Acrobat against zero-day attacks

Adobe has warned computer users to update their installations of Adobe Reader and Acrobat as a matter of urgency, after it was discovered that malicious hackers were exploiting a critical zero-day vulnerability in targeted attacks.

According to the software company, it is “aware of evidence that indicates an exploit in the wild is being used in limited, isolated attacks targeting Adobe Reader users on Windows.”

The Mac versions of Acrobat and Reader are said not to be at risk.

Sign up to our free newsletter.
Security news, advice, and tips.

If exploited, the CVE-2014-0546 allows attackers to bypass the sandbox and run malicious code with escalated privileges on the targeted Windows PC.

In response, Adobe has issued a security bulletin, recommending that users update their software at the earliest opportunity.

  • Users of Adobe Reader XI (11.0.07) and earlier versions for Windows should update to version 11.0.08.
  • For users of Adobe Reader X (10.1.10) and earlier versions for Windows, who cannot update to version 11.0.08, Adobe has made available version 10.1.11.
  • Users of Adobe Acrobat XI (11.0.07) and earlier versions for Windows should update to version 11.0.08.
  • For users of Adobe Acrobat X (10.1.10) and earlier versions for Windows, who cannot update to version 11.0.08, Adobe has made available version 10.1.11.

Security researcher Costin Raiu blogged that the attacks are currently “very limited” in number, but – of course – that’s going to be no consolation if you are one of the unfortunate organisations that finds itself in the sights of the hackers exploiting the flaw.

Raiu cautioned that even though the attacks were “very rare”, it was still recommended that all users update their computers “as soon as possible”.

By default, Adobe Reader should update itself automatically – but many users have reported in the past that they have had to wait a disturbing length of time before they receive notification that a new version is available.

For that reason, I would recommend that organisations and end users check via the Help menu if there is a newer version available.

Separately, Adobe has announced a raft of critical security vulnerabilities in another of its flagship products – Adobe Flash.

In a security bulletin about the Flash security flaws, Adobe said that it was not aware of any of them being exploited in the wild.

Windows, Mac and Unix users of Flash Player and Adobe AIR are advised to protect against the flaws – most of which have been given Adobe’s highest severity level – as soon as possible.

Adobe, of course, is no stranger to hackers exploiting flaws in its software, and has itself been on the receiving end of major security incidents.

Although I might not be as dramatic as The Register, which reported the news of Adobe’s security patches with a warning that you only have “three days to patch”, I would agree that if you can’t get your systems patched and updated within 72 hours, you certainly have a serious problem.

Updates and security patches are a part of everyday life, as every IT administrator knows. The trick is to have systems in place which allows you to manage the process effectively, without negatively impacting on the regular work of your organisation’s staff.

This article originally appeared on the Optimal Security blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.