Adobe Prepares Out-of-Band Security Updates for Reader and Acrobat

Adobe plans to deliver out-of-band security updates for its Reader and Acrobat products in two weeks. The new releases will contain emergency patches for several critical security issues including a zero-day vulnerability disclosed at the Black Hat security conference late last month.

"A Security Advisory has been posted in regards to upcoming Adobe Reader and Acrobat updates scheduled for the week of August 16, 2010. The updates will address critical security issues in the products, including CVE-2010-2862 which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. These security updates will be made available for Windows, Macintosh and UNIX," a prenotification announcement posted on the Adobe Product Security Incident Response Team (PSIRT) blog, reads.

CVE-2010-2862 refers to a zero-day vulnerability used as a test case by reputed security researcher Charlie Miller in his Black Hat talk on crash analysis. There are fears that ill-intent hackers could figure out the issue from Miller's presentation slides, which are now public and contain crash dump screenshots and other related information.

It is noted in the new advisory that updates will be made available for Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh, and UNIX, as well as Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh. These patches will break out of Adobe's quarterly security update cycle, according to which the next fixes are scheduled to land on October 12, 2010.

In fact, this will be the third time in a year when Adobe is forced to release updates out of band. Coupled with other push-backs to its scheduled releases, this makes one wonder if there's even any point in enforcing a quarterly update cycle, that is ultimately supposed to allow system administrators to plan patch deployment in advance.

There were rumors that because of the high number of critical bugs and their frequency, Adobe is considering switching to a monthly cycle. However, in July the company announced that the next major version of Reader will feature a sandbox mode enabled by default. This is expected to significantly lower the impact of vulnerabilities, so the quarterly update cycle concept might yet be saved.

You can follow the editor on Twitter @lconstantin