Adobe have confirmed that an unpatched, or zero-day, vulnerability in Adobe Reader is being exploited by criminals.
Those attacks may have been aimed at US defence contractors.
Adobe promised to patch the bug in the Windows edition of Reader and Acrobat 9 no later than the end of next week. Tuesday, December 12 is also Microsoft's regularly-scheduled Patch Tuesday for the month.
The upcoming patch will be Adobe's sixth for Reader and Acrobat this year.
"A critical vulnerability has been [found] in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh," Adobe said. "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system."
The company issued a security advisory with what information it was willing to share.
'Limited, targeted attacks'
Adobe acknowledged that the vulnerability is being exploited in what it called "limited, targeted attacks" against Reader 9.x on Windows, but did not provide any additional information about where and when the attacks were occurring, or who had been targeted.
Adobe identified the bug as a "U3D memory corruption vulnerability," U3D, which stands for "universal 3D," is a compressed file format standard for 3-D graphics data promoted by a group of companies, including Adobe, Intel, and HP.
Reader vulnerabilities are typically exploited by attackers using malicious PDF documents that are attached to email messages with baited subjected heads that try to dupe recipients into opening the document.
Doing that also executes the malicious code - in this case, likely malformed U3D data - hidden in the PDF, compromising the victim's PC and letting the attacker infect the machine with other malware.
The attacks exploiting the unfixed flaw may have targeted US defence contractors: Adobe originally credited the security response teams at both Lockheed Martin and MITRE with reporting the vulnerability.
Lockheed Martin is one of the America's largest aerospace and defence contractors, and manufactures the F-22 Raptor fighter jet and won the contract to build the F-35 Lightning II, the planned successor to the F-16 Falcon aircraft.
MITRE manages several research centres funded by US government agencies, including the National Security Engineering Center for the Department of Defense, and the Center for Advanced Aviation System Development for the Federal Aviation Administration (FAA).
Lockheed Martin was in the computer security news last May when it admitted it had been the target of a "significant and tenacious cyberattack," which was allegedly conducted by leveraging information stolen several months earlier from RSA Security.
It's not unusual for companies targeted by hackers to be among the first to report a previously-unknown vulnerability, as they are, of course, in the best position to do so.
"My guess is they got it or were targeted and reported it to Adobe," said Mila Parkour, an independent security researcher. Parkour has been credited with reporting both Reader and Flash Player vulnerabilities to Adobe.
Adobe also has a connection to the Lockheed Martin attack of May; hackers exploited an unpatched bug in Adobe's Flash Player to gain initial access to RSA Security's network.
But minutes after Adobe issued its advisory, it changed the credits, retaining Lockheed Martin but replacing MITRE with the Defense Security Information Exchange (DSIE), a group of defense contractors that, according to a document on the White House website (download PDF), "share intelligence on cyber-related attacks."
MITRE was not able to comment on Adobe initially giving it credit for reporting the Reader zero-day to Adobe.
Adobe, meanwhile, said that the original credit to MITRE had been incorrect. However, MITRE is one of the organisations on the Defense Industrial Base (DBI), a superset of the DSIE. Other defence contractors who belong to the DBI include Boeing, General Dynamics, Lockheed Martin, Northrup Grumman, Pratt & Whitney and Raytheon.
The DSIE did not reply to questions about whether one or more of its members had been targeted by the Reader exploits.
While a patch for Reader and Acrobat 9 will reach users next week, Adobe said it will not deliver fixes for Reader and Acrobat 10 for Windows, as well as all versions for Mac OS X and Unix, until January 10, 2012.
Adobe justified those delays on the grounds that Reader 10, also called Reader X, includes anti-exploit "sandbox" technology that isolates the application from the rest of the computer, and thus blocks the exploit now in circulation.
The company said that the risk to Macintosh and Unix users was "significantly lower" because attacks have been spotted targeting only Windows PCs.