A new security update from Adobe plugs at least 23 security holes in its PDF Reader and Acrobat software, including two vulnerabilities that attackers are actively exploiting to break into computers.
Adobe is urging Reader and Acrobat users of versions 9.3.4 and earlier for Windows, Mac and UNIX systems to upgrade to version 9.4 (Adobe says those who can’t upgrade to the 9.x version should instead apply the version 8.2.5 update).
Adobe says one of the 23 flaws fixed by this new version is being actively exploited. A second zero-day flaw corrected by today’s update — a critical vulnerability in Adobe Flash player that the company fixed in a separate update last month for the stand-alone Flash player — also exists in Adobe Acrobat and Reader, although Adobe says it is not aware of any attacks exploiting this flaw in those products yet.
Several readers have asked about a security feature Adobe has promised will be in future versions of Reader and Acrobat, a sandboxing technology designed to block the exploitation of previously unidentified security holes in its software. Adobe says that capability will be included in the next major release of these software titles, which is due out before the end of the year. Adobe’s Brad Arkin has more about this upcoming feature, in a blog post published today.
Now that Adobe has moved to a quarterly patch cycle, this new major version is unlikely to coincide with the next security update which isn’t planned until Feb. 8, 2011. However, at the rate Adobe is releasing security updates (it has issued emergency updates twice in the past year for Reader and Acrobat, and more often for Flash and other software), I doubt it will be that long before we see another critical Reader patch.
It may well emerge that Adobe’s sandboxed version turns out to be more secure than other PDF readers, but I long ago stopped messing with Reader, and switched to Foxit. But there are other options, including Nitro PDF Reader and Sumatra.