Address a vulnerability currently being exploited in the wild

Aug 1, 2009 11:02 GMT  ·  By

Adobe has released a scheduled update for its Reader and Acrobat products in order to fix a remotely exploitable vulnerability, which is actively being targeted in attacks. The flaw allows attackers to execute arbitrary code by embedding malformed Flash streams into PDF documents.

Almost a week ago, security experts warned that a zero-day Flash flaw was being exploited in drive-by attacks across the Web, which were using maliciously crafted SWF files or PDF files with Flash embedded into them.

Adobe concluded that, in addition to its Flash Player and AIR products, Adobe Reader and Acrobat were also vulnerable, because of their authplay.dll component. The company promised to ship patches for all products by July 31.

Adobe kept its word as far as Flash Player and AIR for Windows, Mac and Unix were concerned and, on July 30, it released updates patching ten critical vulnerabilities, including this one. "The update for Adobe Flash Player and Adobe AIR, Adobe Reader and Acrobat resolves a memory corruption vulnerability that could potentially lead to code execution (CVE-2009-1862)," the company advises.

Users who have Reader or Acrobat installed are urged to also upgrade to their just released 9.1.3 versions, which are available for all platforms. Adobe also notes in the security bulletin that an update for Flash Player on Solaris is still pending.

In an effort to improve its security-incident response for Reader and Acrobat, two of the most targeted applications in its portfolio, last month, the company introduced a uniform patch cycle synchronized with Microsoft's "Patch Tuesday." However, because these updates were out-of-cycle, "Adobe is planning its next quarterly security update for Adobe Reader and Acrobat for Tuesday, Oct. 13," Wendy Poland with the company's Product Security Incident Response Team, announces.

Recently, Danish vulnerability research company Secunia, has pointed out that Adobe is still offering the outdated Reader 9.1 version as a primary download on its website, sparking criticism from the security community. Adobe has explained that only single-dot releases are shipped as full installers, because of the more complex quality-assurance process.

Therefore, users who recently downloaded and installed Adobe Reader from the official website should immediately go in the program's "Help" menu and choose "Check for Updates," in order to ensure that they have the latest version.

Adobe Reader 9.1.3 update can be downloaded from here. Adobe Acrobat Standard & Professional 9.1.3 update can be downloaded from here. Adobe Acrobat Professional Extended 9.1.3 update can be downloaded from here.