Adobe is to issue a patch tomorrow, after warning that hackers are again using malicious PDFs to break into Windows PCs.
This is the fourth time in a year that a bug in the popular Reader PDF viewer and the Acrobat PDF maker has been exploited. Adobe said there has been "limited targeted attacks".
That phrasing generally means hackers are sending the rigged PDF documents to a short list of users, often company executives or others whose PCs contain confidential information.
The bug exists in Reader and Acrobat versions 9.1.3 and earlier on Windows, Mac OS and Linux, said Adobe in a security advisory, but as far as the company knows, it is being exploited only to hijack Windows PCs.
"There are reports that this issue is being exploited in the wild in limited targeted attacks," said Adobe. "The exploit targets Adobe Reader and Acrobat 9.1.3 on Windows."
Adobe will plug the hole next week as part of its quarterly security update for Reader and Acrobat. Last June, Adobe announced it would follow the lead of companies like Microsoft and Oracle, and release regular security updates for Reader and Acrobat.
Originally, Adobe was to post patches last month, but a scramble during July to fix several flaws, including some introduced by Microsoft in a code 'library' used by its own developers, as well as those in other companies, wreaked havoc on Adobe's schedule. It said more than a month ago that it would instead push the patch date into October.
Until a patch is released next week, Windows Vista and Windows 7 users can protect themselves by enabling Data Execution Prevention (DEP), a security feature designed to stop some kinds of exploits - buffer overflow attacks in particular - by blocking code from executing in memory that's supposed to contain only data. Instructions on how to enable DEP are available on Microsoft's support site.
Adobe has struggled this year to stay ahead of hackers. In March, the company quashed a PDF bug that attackers had been using for more than two month . It again patched Reader and Acrobat in May to block another zero-day.
In July Adobe fixed a Flash PDF-related flaw that was being used by hackers.
Tomorrow's Reader and Acrobat updates will also patch a unknown number of other vulnerabilities, Adobe said.