14 DAY TRIAL // Adobe has released Adobe Reader and Acrobat 9.4 to address a total of 23 vulnerabilities, many of which are marked as critical and allow for remote code execution.
This major security update also fixes a zero-day vulnerability, identified as CVE-2010-2883, that has been actively exploited in the wild since early last month.
A second arbitrary code execution bug (CVE-2010-2884), originally discovered and patched in Flash Player, has been resolved.
The flaw, which has already been exploited to infect users with malware, affected Adobe Reader and Acrobat through authplay.dll, a component handling the playback of Flash content embedded in PDFs.
Because of a difference in patch timelines of various Adobe products, users can remain vulnerable to Flash-based vulnerabilities despite the fact that they were fixed in Flash Player.
Three arbitrary code execution flaws patched in this update affect only the Mac platform, one only Windows, while multiple privilege escalation issues affect Linux systems.
In addition, there are sixteen cross-platform memory corruption and input validation errors that can lead to code execution and two denial of service conditions.
For users who are still using the 8.x product versions and can't update, the company has released Adobe Reader and Acrobat 8.2.5. These releases are only available for Windows and Mac.
Since June 2009, Adobe Reader and Acrobat follow a uniform update cycle, where patches are supposed to be released on the second Tuesday of every quarter.
The company intended to have the updates aligned with Microsoft's Patch Tuesday in order make it easier for administrators in corporate environments to plan in advance.
However, actively exploited zero-day vulnerabilities have forced the developer to break out of the cycle and reschedule quarterly updates multiple times until now.
This is also the cases with these latest patches, which represent an accelerated release of the ones that should have landed next Tuesday, on October 12.
"The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011," the company announces, but it remains to be seen if that date will be respected.
The latest version of Adobe Reader for Windows can be downloaded here.
The latest version of Adobe Reader for Mac can be downloaded here.
The latest version of Adobe Reader for Linux can be downloaded here.