Acrobat and Reader updates coming, while new Flash vulnerability threatens

Stephen Withers
Tuesday, 14 September 2010 17:28

Business IT - Security

Adobe will bring forward by a few days the release of its next quarterly update for Acrobat and Reader in response to a recently-discovered vulnerability that is being exploited in the wild. There's also a warning of an actively exploited vulnerability in Flash Player that will be fixed a the same time.

Last week, Adobe warned its users that a critical vulnerability in Acrobat and Reader was being actively exploited, but did not say when it expected to release a fix.

Shortly after, Adobe and Microsoft stated that the latter's EMET (Enhanced Mitigation Experience Toolkit) 2.0 could be used to mitigate the issue - which stemmed from a library that does not take advantage of address space layout randomisation (ASLR) plus the use of an old and deprecated string function - on Windows XP, Vista, Windows Server 2003 and 2008, and Windows 7. While the vulnerability is also present in the Mac and Unix versions of the software, there are no reports of exploits.

The company has now announced that an update is expected in the week of October 4. This update will be a slightly accelerated release of the quarterly update that was scheduled for October 12.

Adobe released out-of-cycle patches for Acrobat and Reader in August. As with the latest scare, the issue addressed at that time concerned font handling.

Adobe has also warned of a critical vulnerability in in Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux and Solaris, as well as Adobe Flash Player 10.1.92.10 for Android. Acrobat and Reader 9.3.4 and earlier versions are also affected.

Please read on for more on the Flash vulnerability.