Adobe Going Out-Of-Band With Reader, Acrobat Fixes

In a bulletin issued Thursday, Adobe said it's developing updates for Adobe Reader 9.3.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 for Windows and Macintosh, and Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh.

Adobe rated the vulnerability as "critical," the highest on its four-level scale, while Danish security research firm Secunia classified it as "highly critical," or four on its five point scale.

Charlie Miller, principal analyst at Independent Security Evaluators, disclosed the vulnerability last week in a presentation at the Black Hat USA 2010 security conference. Miller has a penchant for finding Apple vulnerabilities, and for the past three years at the CanSecWest Pwn2Own hacker contest, he's managed to use Safari browser vulnerabilities to gain access to Macbooks.

Attackers can exploit the flaw, which lies in the processing of TrueType fonts, by rigging a malicious PDF document and getting a user to open it. Doing so leads to memory corruption and could pave the way for malicious code execution.

So far, though, these sorts of attacks don’t appear to have materialized. "We are not aware of any exploits in the wild around any of the vulnerabilities that will be fixed in this out-of-band update," an Adobe spokesperson said in email.

One of the two critical iOS 4.0 vulnerabilities that surfaced earlier this week in the wake of the JailbreakMe 2.0 launch stems from the mobile Safari browsers handling of PDF documents, and that flaw could allow a remote attacker to load malicious code onto an iPhone or iPad by getting the user to click on a link on a rigged Website.

Adobe plans to release its next quarterly security update for Adobe Reader and Acrobat on October 12.