14 DAY TRIAL // Adobe is preparing to release the first security updates for the new Adobe and Acrobat X product line next Tuesday, which will address critical vulnerabilities.
The announcement was made by the Adobe Product Security Incident Response Team (PSIRT) and a prenotification security advisory was published.
"Adobe is planning to release updates for Adobe Reader X (10.0) for Windows and Macintosh, Adobe Reader 9.4.1 and earlier versions for Windows, Macintosh and UNIX, Adobe Acrobat X (10.0) for Windows and Macintosh, and Adobe Acrobat 9.4.1 and earlier versions for Windows and Macintosh to resolve critical security issues," the advisory notes.
Since updates for the X (10.0) and 9.4.1 versions will be bundled together in the upcoming security bulletin it's hard to say if the critical rating is for vulnerabilities in just one of these branches or both.
According to Adobe's severity rating system, critical corresponds to "a vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware."
However, Adobe Reader and Acrobat X, which were released in back in November, feature sandboxing technology that promises to make arbitrary code execution extremely hard.
More precisely, even if attackers could exploit a vulnerability in the PDF rendering process, they would also need to break out of the sandbox in order to execute code on the underlying operating system.
In addition, on Windows Vista and 7 this would require bypassing security mechanisms such as DEP and ASLR for each of the two chained exploits.
This is not impossible, but very very hard, even for experienced exploit writers. This should theoretically affect the impact and criticality of Adobe Reader and Acrobat X vulnerabilities.
The upcoming security updates are part of Adobe's uniform quarterly patch cycle and will be aligned with Microsoft's Patch Tuesday to allow administrators in enterprise environments to deploy them together.