14 DAY TRIAL // Adobe announced October 5 as a definitive release date for its upcoming Adobe Reader and Acrobat quarterly security updates, which will address two zero-day vulnerabilities.
On September 8, Adobe confirmed that a critical arbitrary code execution exists in the latest versions of Adobe Reader and Acrobat, after discovering it in the wild.
Identified as CVE-2010-2883, the flaw was exploited in active attacks that infected users with malware by tricking them into opening maliciously crafted PDF documents.
Since Adobe Reader and Acrobat follow an uniform quarterly patch cycle and the next batch of updates were scheduled for October 12, the company temporarily considered releasing an out-of-band fix.
However, it eventually decided to push the quarterly update forward and announced the week of October 4 as a new estimated delivery time, still leaving a significant window of attack opened.
One week later, the company learned in a similar way about an actively exploited remote code execution bug in Flash Player.
The Flash vulnerability, known as CVE-2010-2884, was patched in Flash Player 10.1.85.3, that was released on September 20, however it also affects Adobe Reader and Acrobat.
This is because Flash playback inside PDF documents is supported through a Flash interpreter included as authplay.dll in the two products.
Since this file is basically a copy of Flash Player, any Flash vulnerability can also be exploited by embedding malicious SWF content into PDFs.
Authplay.dll only gets modified during an Adobe Reader and Acrobat update, which means that even security-conscious people who installed the Flash Player patch are currently still vulnerable.
"The updates [expected on Tuesday] will address critical security issues in the products, including CVE-2010-2883 referenced in Security Advisory APSA10-02 and CVE-2010-2884 referenced in the Adobe Flash Player Security Bulletin APSB10-22," the company said in a prenotification posted on the Adobe Product Security Incident Response Team (PSIRT) blog.