Adobe Prepares Out-of-Band Reader Patch for Tomorrow

Adobe announced that the upcoming out-of-band security updates, which will address several critical security issues in its Reader and Acrobat products, are expected to land tomorrow.

Back in July, at the Black Hat security conference, reputed security researcher and Apple hacker Charlie Miller disclosed a previously unknown vulnerability in Adobe Reader.

The bug was used as a test case by the researcher in his talk on application crash analysis and Adobe later confirmed that it can be exploited to execute arbitrary code.

Given the public nature of Miller's disclosure and the fact that his presentation slides, containing a lot of details about the flaw, were posted online, Adobe decided that the best course of action would be to address the issue outside of the regular patch cycle.

The out-of-band security updates, which will contain fixes for multiple critical vulnerabilities, including Miller's, were originally scheduled for the week of August 16, 2010.

However, Adobe updated its Security Advisory yesterday to include a more exact release date. "This Security Advisory will be replaced with the final Security Bulletin upon release of the updates, currently expected on Thursday, August 19, 2010," the document reads now.

Last week we reported about security risks stemming from the fact that the Flash Player plug-in bundled in Adobe Reader and Acrobat (authplay.dll) is not updated at the same time as the standalone Flash Player application.

This unfortunate situation leaves users exposed to publicly disclosed Flash vulnerabilities, despite upgrading to the latest Flash Player version.

Brad Arkin, Adobe's director of product security and privacy, said at the time via Twitter that the upcoming out-of-band Reader and Acrobat patches will also update the bundled Flash interpreter to the latest version.

Since almost all vulnerabilities affecting Flash Player also affect authplay.dll it is very possible that many of the flaws that will be listed in the Adobe Reader and Acrobat Security Bulletin tomorrow will be identical to the ones revealed during the recent Flash Player update.