Critical Security Update Released for Adobe Reader and Acrobat

Adobe has released its scheduled quarterly security updates for Adobe Reader and Acrobat, addressing a large number of critical vulnerabilities.

In total, the updates provide fixes for 29 vulnerabilities in Adobe Reader and Acrobat X (10.0), 9.4.1 and 8.2.5 on Windows and Mac. Updates for the UNIX platform are expected around February 28.

A number of 23 security issues could be exploited to execute arbitrary code, while an additional three might have the same impact, but it hasn't been demonstrated yet.

Two of the remaining vulnerabilities stem from input validation weaknesses that could trigger cross-site scripting conditions, while the last one is a file permissions issue that could be exploited to elevate privileges.

Two remote code execution flaws affect only Mac flavor of the products, while the file privilege escalation one is an Windows-only problem.

The impact of the vulnerabilities is lower for Adobe Reader and Acrobat X than for older versions, because of the new Protected Mode sandboxing technology.

It's also worth noting that these updates include the newly released Flash Player 10.2, which addresses server security issues in its own right.

Eleven of the vulnerabilities were reported through TippingPoint's Zero Day Initiative program and the most active security researcher for this release was Peter Vreugdenhil with seven disclosures.

"Adobe recommends users of Adobe Acrobat X (10.0) for Windows and Macintosh update to Adobe Acrobat X (10.0.1). Adobe recommends users of Adobe Acrobat 9.4.1 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4.2, and users of Adobe Acrobat 8.2.5 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.6," the company writes in its security bulletin.

The latest version of Adobe Reader for Windows can be downloaded from here.

The latest version of Adobe Reader for Mac can be downloaded from here.