Out-of-Band Security Update for Reader and Acrobat Released

Adobe has broken the quarterly update cycle for Reader and Acrobat in order to patch a cross-domain vulnerability fixed earlier this month in Flash Player. The security update also addresses a critical memory corruption flaw reported by researchers at Microsoft.

Users are advised to update their Adobe Reader and Acrobat installations to 9.3.1 or 8.2.1 on all platforms, after less than a week ago a similar update was released for Flash Player. "Adobe is planning to release an update for Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh to resolve critical security issues, including the Flash Player issue described in Security Bulletin APSB10-06," the company's Product Security Incident Response Team (PSIRT) announced at the time.

The new Adobe Reader and Acrobat advisory (APSB10-07) explains that "this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system."

Adobe Reader is one of the most attacked software packages on the Internet, together with Flash Player, Java Runtime or Internet Explorer, mainly because it is installed on the vast majority of computers in use today. However, due to the big number of zero-day vulnerabilities that have plagued the product during recent years, Adobe has faced strong criticism from the security community.

Part of an effort to reduce the number of security incidents, the company has introduced since June last year a uniform quarterly patching cycle, aligned with Microsoft's Patch Tuesday. The fourth round of patches were scheduled for April, but this is already the second time the company has broken its predefined cycle to patch critical vulnerabilities.

The latest version of Adobe Reader for Windows can be downloaded from here.
The latest version of Adobe Reader for Mac can be downloaded from here.
The latest version of Adobe Reader for UNIX can be downloaded from here.

The latest version of Adobe Acrobat Professional for Windows can be downloaded from here.
The latest version of Adobe Acrobat Pro for Mac can be downloaded from here.

End users can also update their installations by selecting Help > Check For Updates Now in the program.