Adobe has released updated versions of its Reader and Acrobat products to close 23 vulnerabilities.
The updates were due to be released on the 12th October, but moved forward a week due to active exploits targeting a zero-day vulnerability confirmed by Adobe last month. That unpatched flaw, which garnered vulnerability tracking firm Secunia's most severe rating of 'extremely critical', could be targeted to crash a user's machine or take complete control of it, according to a previous advisory from Adobe.
Five days after that disclosure, Adobe revealed another unpatched bug affecting Reader and Acrobat. However, unlike the zero-day, Adobe said it was not aware of any in-the-wild attacks targeting the vulnerability. The next quarterly updates for Adobe Reader and Acrobat are due to be released on the 8th February 2011.
Wolfgang Kandek, CTO at Qualys, said: “The new version fixes two zero-day vulnerabilities that have seen limited exposure in the wild: CVE-2010-2884 is a vulnerability in Adobe Flash, that was addressed last week in the standalone Flash player. Adobe Reader includes its own version of Flash and needs to be patched independently. While CVE-2010-2883 is a vulnerability in the font handling of Adobe Reader and can be triggered by opening a malicious PDF document. Exploit code has already been made available in the some of the exploit tools, the attack is well documented and easy to integrate for malware authors.”
Andrew Storms, director of security operations for nCircle, said: “Adobe is hitting customers with a double whammy today. Obviously, Adobe products continue to be at the top of the target list for malware writers. They patched a zero-day flaw in Flash in late September, and today they are releasing their quarterly Acrobat update ahead of schedule because of another zero-day.
“The sandbox feature Adobe has promised for its Acrobat products can't come a minute too soon. We have to hope Adobe has more strategic security initiatives up their collective sleeves, because right now they are struggling just to keep up with attackers.”