Out-of-cycle security patches for Acrobat and Reader

Stephen Withers
Friday, 20 August 2010 08:14

Business IT - Security

Adobe has released updates for Acrobat and Reader that fix multiple critical security vulnerabilities.

Out-of-cycle security updates for Adobe Acrobat and Reader address multiple security vulnerabilities that the company classed as critical.

The vulnerabilities addressed by Acrobat and Reader 9.3.4 include the possibility of executing arbitrary code contained in a maliciously formed TrueType font. Adobe has also used the update to deliver further mitigations against the social engineering attack addressed in the 9.3.3 updates which were released at the end of June.

That attack worked by causing Acrobat or Reader to open a malicious object such as an attached executable while displaying a dialog designed to allay victims' fears. Shortly after the update was released, it was discovered that Adobe's blacklist of potentially harmful filetypes could be defeated by enclosing the malicious filename in quotes.

The latest updates also incorporate the Flash Player update released earlier this month. Download links can be found in Adobe security bulletin APS10-15.

The 9.3.4 updates for Acrobat and Reader apply to the Windows, Macintosh and Unix versions. They can be installed by using the Check for Update commands. The Reader full installer will be updated to version 9.3.4 by the end of the month.

Users of older operating systems that are stuck on Acrobat or Reader 8.x are advised to update to the 8.2.4 versions.

A quarterly update of Reader and Acrobat remains scheduled for October 12.