Adobe, still smarting from its embarrassment over releasing a patch 16 months after a vulnerability was submitted, released an update this past Saturday for Adobe Reader 9.34 Windows, Macintosh, and UNIX, Adobe Acrobat 9.34 Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh.
The security advisory did not outline the nature of the vulnerability, although flaws marked as critical allow malicious code to execute, potentially without the user being aware. The out-of-band patch, which will be released on Tuesday, the day after the long US weekend, will also fix a critical vulnerability in Adobe Flash Player and the Adobe AIR virtual machine. That vulnerability could subvert the main sandbox in the player, enabling authorized cross-domain requests, according to Adobe.
Luckily, at least for the Flash Player and AIR issue, users can protect themselves over the weekend by upgrading to subsequent versions of Flash Player and AIR to fix the problem. Versions of Flash Player 10.0.42.34 and earlier are affected, according to Adobe, which advises upgrading to version 10.0.45.2. AIR version 1.5.3.9120 is affected by the vulnerability, and should be replaced with version 1.5.3.9130. The update will also result a potential denial of service issue, according to the company.
"So, hey, just use Preview instead of Adobe's products, and update Flash as soon as possible," said Macintosh anti-malware company Intego. "Flash objects can be embedded on any website, and you may not even know that Flash is being used."