14 DAY TRIAL // Adobe is planning to ship an important security update for its Reader and Acrobat products tomorrow. The update will address a critical remote code execution vulnerability disclosed earlier this month, as well as other security issues.
In a Security Advisory released at the end of last week, Adobe explains that the batch of security fixes represents an acceleration of their normal quarterly security update cycle. The next security update was originally due to ship on July 13.
The rush was prompted mainly by a Flash Player critical security vulnerability disclosed as a zero-day and actively exploited in the wild since the beginning of June. The bug also affects the Reader and Acrobat component allowing the products to play flash content embedded in PDF documents.
A pre-notification of the upcoming security patches was also posted by Wendy Poland on the Adobe Product Security Incident Response Team's (PSIRT) blog. "The updates will address critical security issues in the products, including CVE-2010-1297 referenced in Security Advisory APSA10-01. These security updates will be made available for Windows, Macintosh and UNIX," she writes.
In related news, an update for Flash Player on Solaris was also issued late last week. This was the only platform that still had a Flash Player version vulnerable to the zero-day bug described in CVE-2010-1297. Updated versions (10.1.53.64) for Windows, Mac and Linux were made available on June 11.
It is also worth mentioning that on Friday the Security Bulletin corresponding to the last Flash Player release was updated with information suggesting that the product remains vulnerable to a different remote code execution vulnerability, previously though fixed. "Removed reference to CVE-2010-2188, which was not fully resolved with this update," the Security Bulletin revision reads. Security researcher Damian Put is credited with the discovery of this "LocalConnection Memory Corruption" bug, which was reported through TippingPoint's Zero Day Initiative (ZDI) program.