Adobe Reader and Acrobat Patches Expected Next Tuesday

Adobe is expected to release scheduled security updates for Adobe Reader and Acrobat next Tuesday in order to patch critical security vulnerabilities.

Updates will be made available for Adobe Reader X (10.0.1) for Windows and Adobe Reader X (10.0.3) for Macintosh; Adobe Reader 9.4.3 and earlier versions for Windows and Macintosh; Adobe Acrobat X (10.0.3) for Windows and Macintosh; and Adobe Acrobat 9.4.2 and earlier versions for Windows and Macintosh.

Of note is the update for Adobe Reader X for Windows, the only version of the program which features sandboxing technology capable of mitigating exploits and preventing arbitrary code execution.

Adobe Reader and Acrobat products follow a quarterly patching cycle that is aligned with Microsoft's Patch Tuesday in order to make patch management easier for admins. However, Adobe commonly breaks out of this cycle to patch zero-day vulnerabilities exploited in the wild.

Since the last scheduled security updates in February, Adobe released two out-of-band patches, one in March and one in April. Both times the company opted to postpone the Adobe Reader X for Windows patch on the basis that users are already protected thanks to the Protected Mode (sandbox).

This decision was criticized by the security community because it encourages admins and users to care less about Adobe Reader X updates for Windows. Adobe senior security strategist Steve Adegbite recently told us that this approach aims to decrease the costs associated with updating for the company's customers and that all those vulnerabilities will eventually be patched in a scheduled update.

Adobe recently released a Flash Player patch that addresses a dangerous cross-site scripting vulnerability that might also affect the Flash parser bundled with Adobe Reader and Acrobat. Since both previous 0-day vulnerabilities affecting the products were also in this component, it's likely that it will be updated to a patched version.