Adobe patches 'critical' Reader, Acrobat flaws

The out-of-sequence patches address holes that could let attackers take control of Windows, Mac OS X and Unix systems
Written by Matthew Broersma, Contributor on

Adobe has warned of two serious security flaws affecting Adobe Reader and Adobe Acrobat for the Windows, Mac OS X and Unix platforms, and issued patches for the bugs outside its usual patching schedule.

The bugs could allow attackers to make unauthorised cross-domain requests or take control of an affected system, the company said in its security advisory on Tuesday.

Last year the company committed to a quarterly patch schedule following criticism of its patching process from security researchers, but the new releases are urgent enough to be released outside that schedule, Adobe said.

The company said the bugs were 'critical', and independent security vendor Secunia rated them 'highly critical'.

The first of the flaws, affecting the Flash player included in Reader and Acrobat, could allow an attacker to subvert the domain sandbox and make unauthorised cross-domain requests. The bug is caused by an error in enforcing cross-domain restrictions.

A second bug could cause Reader or Acrobat to crash, and could also allow an attacker to execute malicious code and take control of a user's system.

People with Adobe Reader 9.3 and earlier versions for Windows, Mac OS X and Unix on their machines should update to Reader 9.3.1, Adobe advised. It also released Reader 8.2.1, which fixes the bugs.

Users of Acrobat 9.3 and earlier are being urged to update to Acrobat 9.3.1 or 8.2.1.

On 11 February Adobe issued a patch for the Flash bug and notified users that the Acrobat and Reader patches were on their way.

Adobe's widely used technologies, including Flash and the PDF document format, have been the focus of an increasing number of security concerns in recent months. In January, for instance, Twitter temporarily disabled a feature based on Flash after a security researcher demonstrated the feature could be used to hijack user accounts.

Editorial standards