The bad guys of the IT business are always looking for the most effective ways to infect the innocent Internet user, and increasingly that means turning to commonly used web browser plug-ins such as Flash or PDF readers. A couple of years ago we were reporting critical vulnerabilities for all Adobe Flash platforms, and towards the end of last year there were reports of a critical vulnerability in Adobe Reader. Cue Jaws soundtrack: just when you thought it was safe to go back in the Adobe PDF water.
According to an official Adobe security warning "All currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable" to another zero-day JavaScript vulnerability. That's all shipping versions on all platforms, including Mac and Unix users.
Adobe says that it "plans to provide updates for all affected versions for all platforms to resolve this issue" although it cannot currently say how long this will take other than to confirm it is "working on a development schedule for these updates and will post a timeline as soon as possible."
So what should you do in the meantime? Adobe recommends that in order to mitigate the issue, JavaScript should be immediately disabled in both Adobe Reader and Acrobat. Alternatively you could, of course, find another application for your Flash and PDF requirements which is less popular and not so attractive to the bad guys.
As Graham Cluley, senior technology consultant with security outfit Sophos says: "this is far from the first time that critical vulnerabilities have been found in Adobe's software, and there is growing concern that the vendor's dominant market share of the PDF reader market is proving extremely attractive for hackers hellbent on infecting as many PCs as possible."
That said, Adobe's track record is not as poor as, for example, Internet Explorer or even Windows itself when it comes to being a hit target for security exploits. As Mozilla has discovered, when lots of people move to your product it simply shifts some of that bad guy focus to your product.