Adobe today released a patch for a flaw (CVE-2011-2462) in Adobe Reader 9. The flaw is actively being used in targeted attacks and can be used to take full control of the targeted machine. If you are interested in the technical details, one of the samples has been analyzed in detail by Brandon Dixon and Mila Parkour.
We recommend applying this patch as quickly as possible.
Adobe Reader X contains the same flaw, but the current attack is neutralized due its additional sandbox. While this does not mean that Adobe Reader X users are completely safe, it is a remarkable illustration of the effectiveness of the additional security features that newer products have been enhanced with.
The designers of Google’s Chrome browser spent a considerable amount of time on its sandboxing capabilities (see here for a illustrated walk-through on some of the design choices) and it has been quite effective – we do not know of any publicly disclosed attacks against Google’s browser at this time.
There is a great technical evaluation of security in browsers available at Accuvant, and, while it is was funded by Google, the technical insight it provides is valuable. It’s a very enjoyable technical read, written by some of the industry’s brightest security engineers. Hopefully you have time to look at it over the holidays.