Adobe Releases Critical Update For Reader, Acrobat

The update repaired a total of 18 vulnerabilities in Adobe Reader 9.3.2 and Acrobat 9.3.2 and earlier versions, across a spate of platforms that included Mac OS X, Windows and Linux. Several of the patches in Tuesday's update plugged holes that were considered critical, indicating that attackers could launch remote code execution attacks.

Adobe accelerated the updates for both Reader and Acrobat from their original release date of July 13 after reports revealed that some of the vulnerabilities were exploited in the wild. The next quarterly patch won't issued be until Oct. 12.

Among other things, the update addresses the misuse of the "launch" functionality of the PDF specification that enables social engineering attacks. Specifically, the update includes functionality that blocks attempts to launch an executable by default, while altering the way the existing warning dialog works to deflect known social engineering attacks, Adobe said in a blog post Tuesday.

Adobe urged Mac and Windows users to upgrade to the latest Reader and Acrobat versions of 9.3.3, as soon as possible due to the fact that the vulnerabilities are currently being used in active attacks. For Mac and Windows users who can't install the update, Adobe provided the older Adobe Reader 8.2.3 update.

As of late, Adobe has been both attempting to keep up with a slew of vulnerabilities, while not overloading its users by spacing out the fixes. Most recently, the company patched a critical Flash bug June 24 after warning users of active exploits in its Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Mac, Linux and Solaris OS.

If exploited the vulnerability could potentially cause a user's computer to crash and enable attackers to take complete control of an infected system to steal sensitive data and incorporate the victim's computer into a botnet. Adobe warned users in its advisory that the vulnerability was actively being exploited in the wild against Flash Player, Adobe Reader and Acrobat.

Adobe also recommended some workarounds in its security advisory that involved deleting the "authplay" component, the agent that handles Flash content embedded within PDF files.

The company also maintained that other changes were coming down the pike, including offering the latest version of language platform pairs on the Adobe Download Center scheduled to make a debut on July 13.

In addition, Adobe recently activated the new Adobe Reader and Acrobat Updater for its users.

"Our data showed that the user population adopted the last update roughly three times faster than previous updates. This is an extremely important metric, since it greatly reduces the windows of exposure available to attackers," said Adobe's Steve Gottwals in a blog post Tuesday.

"Adobe Reader is relied upon by individuals, businesses and governments worldwide and the security of our users continues to be a key priority for us," Gottwals said. "As part of our commitment, we continually listen to the feedback from our users and the community at large. That feedback is paramount, as we continue to develop new capabilities that strengthen the security of our products."