Vulnerability CVE-2009-4324 allowed a JavaScript function to be manipulated via a maliciously-coded PDF. Arbitrary code could be executed on the host machine in this way. This patch finally fixes that vulnerability, although the challenge for Adobe will be getting users to install it.
However, this update officially brings the silent updater program for Acrobat and Reader into beta test mode, which could help solve that problem in the long run. The software, which had been distributed on the quiet with the last patch in October, will now be tested by a select few until it goes live for everyone in April.
The critical update also solved several other problems, including a DLL-loading vulnerability, a memory corruption problem, and a buffer overflow issue in the download manager, along with an integer overflow vulnerability. All of these could lead to remote code execution, Adobe warned.
The company also reminded users that they should update from version 7 of Adobe Reader and Adobe Acrobat. Support for these versions ceased in December.
Adobe also flagged up a Microsoft security advisory on the Product Security Incident Response Team (PSIRT) blog yesterday. Advisory 979267 warns users that Windows XP redistributes an earlier version of Adobe Flash player [version 6]. Adobe no longer supports that version, which, according to the Microsoft advisory, contains multiple vulnerabilities that could allow the execution of arbitrary code — although Microsoft said that it knows of no exploits in the wild.