Adobe on Tuesday confirmed the existence of an unpatched zero day vulnerability rated as "critical" in Adobe Reader X (10.1.1) and earlier versions for Windows and Macs, Adobe Reader 9.4.6 and earlier versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macs. In theory, the critical vulnerability could cause a crash and potentially allow an attacker to take control of the affected machine. And in practice?
"There are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows," Adobe stated in a Security Advisory.
Unpatched security holes in Adobe software are nothing new, but what's disturbing about this one is the shout out to Lockheed Martin CIRT and members of the Defense Security Information Exchange for reporting the issue. It's possible, or at least conceivable, that U.S. defense agencies may have come under attack, though there have been no related reports, so it's purely speculation at this point.
At the same time, the issue has Adobe concerned enough to work on an out-of-schedule patch to be rolled out no later than the week of December 12, 2011.