The update includes fixes for two zero-day flaws – CVE-2011-2462 and CVE-2011-4369 – in Adobe Reader and Acrobat 9.x for Windows patched on Dec. 16.
Symantec had noted that CVE-2011-2462 was being actively exploited in email-based attacks against critical infrastructure industries designed to infect computers with the Backdoor.Skyipot virus.
“There have been reports of two critical vulnerabilities being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows. These vulnerabilities (CVE-2011-2462, referenced in Security Advisory APSA11-04, and CVE-2011-4369) could cause a crash and potentially allow an attacker to take control of the affected system”, Adobe warned in its Dec. 16 security bulletin.
Adobe decided to delay the fixes for Acrobat and Reader X as well as for the Mac versions to speed up the release of the out-of-band patch, Adobe said in the earlier bulletin.
At that time, Adobe reiterated its plan to wait until the next quarterly security patch update to fix these vulnerabilities in Adobe Reader X and Acrobat X for Windows and Mac because the protected mode in these versions prevents an exploit targeting these vulnerabilities from executing.