14 DAY TRIAL // Adobe plans to ship critical security updates for Reader and Acrobat on Tuesday, which will address several publicly known and actively exploited vulnerabilities.
According to a prenotification announcement posted on the Adobe Product Security Incident Response Team (PSIRT) blog, this will be an out-of-band release aimed at fixing vulnerabilities previously disclosed as zero-days.
Adobe Reader and Acrobat follow a quarterly patch cycle, according to which, the updates are expected on February 8, 2011, too far away to make an accelerated release or leave these critical flaws unpatched.
Tomorrow's update will address a Flash vulnerability (CVE-2010-3654) discovered in in-the-wild attacks at the end of last month.
The flaw was patched in Flash Player during the first week of November, but it also affects authplay.dll, the Flash interpreter embedded in Adobe Reader and Acrobat.
The new Reader and Acrobat fixes will also address a secondary zero-day vulnerability reported on November 4th, for which proof-of-concept exploit code has already been published online.
The bug was known publicly as a denial of service (DoS) condition since November 2009, but there are indications that arbitrary code execution is also possible.
Other critical vulnerabilities patched in Flash Player earlier this month will also be incorporated in the new Reader and Acrobat updates.
However, only the Windows and Mac versions of the products will get patches tomorrow. The fixes for UNIX flavors are expected on November 30.
The company is also preparing to release the next major iteration of the product line, dubbed Adobe Reader and Acrobat X (10).
It will have sandboxing technology enabled by default meaning that PDF parsing will happen in a restricted environment with very limited access to the operating system.
This kind of isolation makes it highly difficult to exploit a vulnerability in order to execute arbitrary code and compromise the computer.