Adobe plugs more gaping holes in PDF Reader

Adobe today released an out-of-band security update to patch a pair of gaping holes that expose hundreds of millions of computer users to remote code execution attacks.

The vulnerabilities are rated "critical" and affect Adobe Reader and Adobe Acrobat on all platforms -- Windows, Mac and Linux.

This PDF Reader/Acrobat update falls outside of the company's scheduled quarterly patch cycle.  It is not yet clear why Adobe opted for an out-of-band patch but the presence of Microsoft's security research team as a flaw-finder on this bulletin suggests Redmond may have pressured Adobe to rush out a fix.

Adobe insists there are no active attacks or exploit code publicly available.

There is also a clear connection to a patch released last week for Adobe Flash Player.   That Flash patch covered a hole (CVE-2010-0186) that could subvert the domain sandbox and make unauthorized cross-domain requests.

In today's Reader/Acrobat bulletin, the same vulnerability is referenced as affecting Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh.

Adobe also credited Microsoft's researcher with discovering a a critical vulnerability (CVE-2010-0188)  that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

From the advisory:

Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1. (For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3.1, Adobe has provided the Adobe Reader 8.2.1 update.) Adobe recommends users of Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.1. Adobe recommends users of Acrobat 8.2 and earlier versions for Windows and Macintosh update to Acrobat 8.2.1.

Adobe is shipping these patches via the product's automatic update facility. The default installation configuration runs automatic updates on a regular schedule, and can be manually activated by choosing Help > Check For Updates Now.

UPDATE:  Adobe spokeswoman Wiebke Lips answers some of the lingering questions:

Why go out-of-band with this update?  Are there attacks or exploit code in the wild?

The Flash Player vulnerability we fixed on February 11 also affects Adobe Reader and Acrobat. Rather than waiting for the next quarterly update for Adobe Reader and Acrobat, which is scheduled for April, Adobe decided to make this fix available as an out-of-cycle update. Adobe is not aware of any exploits in the wild for any of the issues patched in this release.

We actually already disclosed this information on February 11 by issuing a separate advisory for Adobe Reader and Acrobat, which discussed the Flash Player vulnerability.

No—other than the fact that this particular vulnerability is also fixed in this update. We decided to go out-of-cycle because of the Flash Player vulnerability we fixed on February 11 and which also affects Adobe Reader and Acrobat. Rather than waiting for the next quarterly update for Adobe Reader and Acrobat, which is scheduled for April, Adobe made the decision to make this fix available as an out-of-cycle update.