Adobe has addressed 17 vulnerabilities in its flagship Reader and Acrobat software to cover vulnerabilities.
Following a revelation that a zero-day flaw is being used to launch in-the-wild attacks and another takes advantage of a native PDF feature, users of Reader for Windows, Macintosh and Unix are encouraged to upgrade to version 9.3.3, while users of Acrobat for Windows and Mac are being asked to do the same.
A fix was also issued for a vulnerability that could allow an attacker to take control of an affected system. An emergency patch was issued at the start of June for a Flash Player vulnerability, while these new fixes come two weeks ahead of its planned patch release.
All but one of the other 16 vulnerabilities patched in Reader and Acrobat could have led to code execution. The remaining bug only could be confirmed as a denial-of-service vulnerability, although Adobe did not rule out the possibility that code execution could be demonstrated.
Steve Gottwals, group product manager at Adobe, confirmed that the next quarterly update is scheduled for 12th October 2010. He said: “Today's update includes changes to resolve the misuse of this command. We added functionality to block any attempts to launch an executable or other harmful objects by default.
“We also altered the way the existing warning dialog works to thwart the known social engineering attacks. If your organisation relies on this capability, we recommend that the functionality be re-enabled.”
Martin Roesler, director for threat research at Trend Micro, said: “Adobe PDF was a main target for malware writers during the last months, so we are very delighted to see this response from Adobe. We strongly advise to install these updates as soon as possible.”