Adobe warns of critical holes in Reader, Acrobat

Adobe warns of critical holes in Reader, Acrobat

Summary: Adobe is advising Reader and Acrobat users of a critical security flaw, and should prepare for an update scheduled for August 14.

SHARE:

Adobe announced today that it will release an update for Adobe Reader (9.5.1) and Acrobat (10.1.3) and earlier versions for both Windows and Mac to fix critical security flaws.

The updates will be released on August 14 -- this coming Tuesday. 

The pre-notification security advisory warning -- APSB12-16 -- gives few details, except noting the affected software versions and the severity of the security flaws.

  • Adobe Reader X (10.1.3) and earlier 10.x versions for Windows and Mac
  • Adobe Reader 9.5.1 and earlier 9.x versions for Windows and Mac
  • Adobe Acrobat X (10.1.3) and earlier 10.x versions for Windows and Mac
  • Adobe Acrobat 9.5.1 and earlier 9.x versions for Windows and Mac

The flaws are rated "critical," meaning malicious native-code can be executed without a user's knowledge. 

Out of the six versions of Adobe Reader and Adobe Acrobat, four have a priority rating of 2, signifying "a vulnerability that has historically been at elevated risk," despite "no known exploits." 

However, both products have versions for Windows and Mac that are at rating 1, noting that a vulnerability is "being targeted" or at a "higher risk of being targeted." These updates should be installed within 72 hours of the security fix release. 

Topics: Security, Privacy, Web development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • OMG! The horror!

    I've never heard of such a terrible failure before this very moment! Oh wait did you say Adobe? Never mind.

    Pagan jim
    James Quinn
  • What they really need to fix...

    ... is that execrable FNP Licensing piece of s**t.
    Vesicant
  • Zero Days?

    Are these new vulnerabilities zero days that have been used in targeted state sponsored (cough....cough.....cough China umm...cough..scuse...me) attacks?
    It wouldn't surprise me.
    f0real
  • Dog bites man

    ... cat chases mouse ... duck takes to water ... Adobe Acrobat is malware magnet

    Zack, Zack, Zack ... this is *not* news.
    thx-1138_
  • Flash is worse

    Another POS that needs to be retired.
    CaviarBlack
  • To misinformed readers

    This is a planned Quarterly update.
    It should be deployed every 3 months, but this time it's already passed 4 months.
    Rikkrdo
    • Adobe No Longer Provides Quarterly Updates

      Hi Rikkrdo,

      It has past 4 months now because Adobe no longer use the quarterly update cycle and instead now release updates as necessary but still align with Microsoft’s Patch Tuesday (2nd Tuesday of each month) when releasing such updates in order for system administrators to roll out both Adobe and Microsoft updates together across a large number of PCs. Rolling out both sets of updates at once is more efficient than rolling them out a few days apart from each other.

      The announcement of no longer providing quarterly updates was made in the following blog post:

      http://blogs.adobe.com/asset/2012/04/background-on-security-bulletin-apsb12-08.html

      I hope this helps. Thanks.
      JimboC421
      • Maybe not officially, but...

        ... well, in practice it did again, with an added month. (Same time-frame from 10.1.1 to 10.1.2).

        So, the latest (official) quarterly was 10.1.3 as shown in Release Notes.

        (Thanks for the info)
        Rikkrdo
        • Still Quarterly

          It is still officially a quarterly update, as noted everywhere from release notes to download pages.
          Blog is wrong.
          End of history.
          Rikkrdo
  • Flash logo used for this article

    Hi Zack,

    Thanks for the heads up on these updates. I noticed this article a few hours before checking Adobe’s PSIRT blog later to see their post about the upcoming updates.

    One point that I would like to make is that the logo that you used for this article is the Adobe Flash logo when these are actually Adobe Reader and Acrobat updates. I originally thought this was a Flash player update before I read the article. This is a small point but can be a little confusing at first.

    As of Adobe Reader/Acrobat 9.5.1 untrusted Flash content in PDFs no longer uses the built Flash player present within Adobe Reader/Acrobat but instead uses the Flash player from your web browser to render the content (which is more likely to be up to date and not affected by a known security flaw). So in other words, Flash and Reader/Acrobat aren’t as related as they once were.

    Full details are present in the following blog post:

    http://blogs.adobe.com/adobereader/2012/07/three-common-adobe-reader-and-acrobat-security-questions.html

    Thanks.
    JimboC421