Adobe has the dubious distinction of developing the three most commonly exploited software: Adobe Reader, Adobe Acrobat, and Adobe Flash. Each time yet another vulnerability in Adobe products is discovered, users are encouraged to upgrade. Well, if you followed that advice and moved to Adobe Reader / Acrobat version 9, now you have a whole new vulnerability to worry about. This one is due to Adobe Reader and Acrobat's incestuous relationship with Flash, which Adobe somehow thought was a good feature to add to their already vulnerability-laden product line.
This latest goof is especially frustrating given that the vast majority of Adobe Reader users just want to view a static document. Adding "features" that leave us all vulnerable to drive-by infections is not a worthwhile trade-off for the convenience of a document reader.
If you use a Mac, I heartily recommend dumping Adobe altogether and using the very capable (and already included) Mac Preview app instead. If you use Windows, or still want to risk Adobe Reader/Acrobat on a Mac, you'll have to delete the Adobe files leading to the drive-by infection vector. For instructions, see:
- How to Prevent SWF (Flash) in Adobe Reader/Acrobat in Windows
- How to Prevent SWF (Flash) in Adobe Reader/Acrobat in Mac OS X (Unix steps included too)
While you're tweaking that bit of security, be sure to harden the rest of the vulnerable settings in Adobe Reader and Acrobat.
I would recommend updating to the latest version of Adobe Reader or Acrobat, but (a) there currently is no patch available, and (b) we've seen what good upgrading has done with regards to Adobe flaws.