Adobe has released special out-of-cycle security updates to patch critical vulnerabilities in Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Mac. The vulnerabilities, referenced in a security advisory issued on 11 April, could cause a crash and potentially allow an attacker to take control of the affected system. The announcement was Adobe's second in four weeks concerning a zero-day vulnerability.
Vulnerabilities in Reader and Acrobat
Adobe says there are reports that one of the vulnerabilities, CVE-2011-0611, is being actively exploited in the wild against both Adobe Flash Player and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an e-mail attachment.
Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing, the company says.
Adobe recommends that users of Adobe Reader X (10.0.2) for Mac update to Adobe Reader X (10.0.3). For users of Adobe Reader 9.4.3 for Windows and Mac, Adobe has made available the update Adobe Reader 9.4.4.
"Because Adobe Reader X Protected Mode would prevent exploits of the type targeting CVE-2011-0611 from executing, we are currently planning to address these issues in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for 14 June 2011," said Adobe.