Adobe gives date for critical out-of-band PDF patch

Adobe has given a date for when it will patch a number of critical vulnerabilities in its Reader and Acrobat PDF software.

The company has brought forward the critical patches from a planned release date of 12 October to Tuesday, 5 October. Adobe will patch a zero-day vulnerability plus a critical vulnerability in versions of the software, it said in a notice on Thursday.

Vulnerable software versions and platforms include: Adobe Reader 9.3.4 for Windows, Mac and Unix; Adobe Acrobat 9.3.4 for Windows and Mac; and Adobe Reader 8.2.4 and Acrobat 8.2.4 for Windows and Mac.

The zero-day flaw has reportedly been exploited in the wild since at least 8 September, according to Adobe advisory APSA10-02. The stack-based buffer overflow flaw, which has the common vulnerabilities and exposures number CVE-2010-2883, could allow an attacker to take over a computer system. The flaw was discovered by security researcher Mila Parkour, according to the Metasploit blog.

The second critical flaw in Acrobat and Reader, which also affects Adobe Flash Player, will be patched on Tuesday. The unspecified critical flaw, coded CVE-2010-2884, has been patched in Flash, according to Adobe's APSB10-22 bulletin.

Adobe warned of exploits targeting the zero-day flaw in September. Later in the month, Microsoft and Adobe announced that a Microsoft toolkit could mitigate the critical zero-day flaw.