Adobe and Microsoft today each issued software fixes to tackle dangerous security flaws in their  products. If you use Acrobat, Adobe Reader or Windows, it’s time to patch.

Microsoft released seven security bulletins addressing at least eight vulnerabilities in Windows. The lone “critical” Microsoft patch addresses a pair of bugs in Windows Media Player. Microsoft warns that attackers could exploit these flaws to break into Windows systems without any help from users; the vulnerability could be triggered just by browsing to a site that hosts specially crafted video content.

The other Windows patches earned a less severe “important” rating from Microsoft, although not everyone agrees with that assessment. Symantec’s Joshua Talbot said another bug fixed today — a glitch in the way Windows handles Microsoft Office files — is potentially more dangerous because it appears to be easier to exploit than the Media Player flaw.

“The vulnerability is due to an oversight that allows an attacker to run malware as soon as a user opens a Word or PowerPoint file,” Talbot said. “Email attachments will probably be the most common attack method in which this vulnerability is exploited. As usual, we strongly recommend users only open email attachments from people they know.”

More information on the other patches Microsoft released today is available here.

I want to call attention to a security issue that Microsoft addressed over the holiday break that I neglected to write about earlier, but which deserves equal attention and patching. On Dec. 29, Microsoft issued an out-of-band update to address a flaw in ASP.Net that could allow an attacker to force a user to visit a malicious web site. The vulnerability affects all versions of the .NET Framework on Windows XP and later versions of Windows. If you use Windows and see a .NET Framework patch awaiting your approval in Windows Update this month, don’t neglect it.

In a separate release, Adobe pushed out security updates for Adobe Reader and Acrobat. At the forefront of the Adobe patch batch is a fix for a zero-day flaw in Acrobat and Reader that Adobe first warned about in early December. Shortly after that warning, Adobe issued a fix for the flaw in Reader 9.x and Acrobat 9.x, but said it would wait until today (its scheduled, quarterly update) to address it in the new Reader X and Acrobat X versions of the software. Adobe recommends that users of Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.2). Updates are available for Windows and Mac versions of these titles; see the Adobe advisory for the patch download links.

As ever, if you experience any problems as a result of installing these updates, please drop a note in the comments below.

Members of an exclusive underground hacker forum recently sought to plant malware on KrebsOnSecurity.com, by paying to run tainted advertisements through the site’s advertising network — Federated Media. The attack was unsuccessful thanks to a variety of safeguards, but it highlights the challenges that many organizations face in combating the growing scourge of “malvertising.”

Last week, I listed the various ways this blog and its author has been “honored” over the past few years by the cybercrime community, but I neglected to mention one recent incident: On May 27, 2011, several hackers who belong to a closely guarded English-language criminal forum called Darkode.com sought to fraudulently place a rogue ad on KrebsOnSecurity.com. The ad was made to appear as though it was advertising BitDefender antivirus software. Instead, it was designed to load a malicious domain: sophakevans. co. cc, a site that has been associated with pushing fake antivirus or “scareware.”

The miscreants agreed to pay at least $272 for up to 10,000 impressions of the ad to be run on my site. Fortunately, I have the opportunity to review ads that come through Federated’s system. What’s more, Federated blocked the ad before it was even tagged for approval.

Darkode members plot to purchase a rogue ad on KrebsOnSecurity.com. They failed.

I learned about this little stunt roughly at the same time it was being planned; Much to the constant annoyance of the site administrators, I secretly had gained access to Darkode and was able to take this screen shot of the discussion. The incident came just a few weeks after I Tweeted evidence of my presence on Darkode by posting screenshots of the forum. The main administrator of Darkode, a hacker who uses the nickname “Mafi,” didn’t appreciate that, and promised he and his friends had something fun planned for me. I guess this was it. Interestingly, Mafi also is admin at malwareview.com and is the developer of the Crimepack exploit kit.

The Darkode forum launched sometime in 2008, and according to past and current members was used primarily as a support forum for the “Butterfly Bot,” a prolific bot program that was sold in the underground for several years by its creator, a hacker who used the name “Iserdo.” At some point, Iserdo sold the forum to other miscreants, and began running support for customers of his Butterfly Bot program via a Google Group called simply “Bf-Support”.

A message from Iserdo warning Butterfly Bot subscribers not to try to reverse his code.

In July 2010, the 23-year-old Iserdo was arrested by authorities in Slovenia on suspicion of running the infamous “Mariposa” botnet. According to the Mariposa Working Group — a partnership between the FBI and private security firms — Iserdo sold thousands of Butterfly kits for prices ranging from $500 to $2,000. The buyers of these kits didn’t need to know much about coding or hacking; the kits allowed even unskilled hackers to create relatively sophisticated botnets.

Butterfly Bot customers wonder why Iserdo isn't responding to support requests. He has just been arrested in Slovenia.

As evidenced by a recent front page story by USA Today’s Byron Acohido, malicious content embedded in online ads, or “malvertising,” is a long-standing problem that has recently taken a sharp turn for the worse: The story points to a recent analysis which documented a peak of 14,694 occurrences of malvertisements in May of this year, up from 1,533 in May 2010.

Many security-conscious readers have chosen to block ads altogether with browser add-ons like Adblock. Wholesale blocking ads can be effective in stopping malvertisements, but this approach also has the perverse effect of blocking a primary source of revenue for many sites (including this one). I have limited Federated Media to serving a very small slice of the ads on KrebsOnSecurity.com, and I am choosy about those that I let in. Add-ons like Noscript for Firefox allow users to be far more selective in which ads/scripts to allow and block.

In addition, many malvertisements rely on scripts that redirect browsers to sites that host exploit kits, software packages that probe the visitor’s browser for unpatched security flaws in popular plugins like Adobe Reader, Adobe Flash Player, Java, QuickTime and WinZip. Keeping these third-party apps up-to-date with the latest security fixes is a great way to fortify your browser against drive-bys. If you need help remembering to patch these programs, consider using a free program like Secunia’s Personal Software Inspector or FileHippo’s Update Checker.

Six million Web pages have been booby-trapped with malware, using security vulnerabilities in software that hundreds of thousands of e-commerce Web sites use to process credit and debit card transactions.

Web security firm Armorize said it has detected more than six million Web pages that were seeded with attack kits designed to exploit Web browser vulnerabilities and plant malicious software. The company said the hacked sites appear to be running outdated and insecure versions of osCommerce, an e-commerce shopping cart program that is popular with online stores.

Armorize said the compromised pages hammer a visitor’s browser with exploits that target at least five Web browser plug-in vulnerabilities, including two flaws in Java, a pair of Windows bugs, and a security weakness in Adobe‘s PDF Reader. Patches are available for all of the targeted browser vulnerabilities.

According to Armorize, the malware targets osCommerce websites and leverages several osCommerce vulnerabilities: osCommerce Remote Edit Site Info Vulnerability (disclosed July 10th, 2011); osCommerce 2.3.1 banner_manager.php Remote File Upload Vulnerability (disclosed May 14, 2011); and OsCommerce Online Merchant v2.2 File Disclosure And Admin ByPass, (disclosed May 30, 2010).

Earlier this year, I wrote a lengthy piece for Kaspersky’s Secureview magazine on this subject: The story warned that criminals were using osCommerce vulnerabilities to hijack tens of thousands of Web sites that were later used to relay junk email and to host phishing scams. If you operate a site that uses osCommerce, please take a moment to ensure that your shopping cart software is up-to-date. The Armorize blog post lists several ways to tell if your site has been hacked. A handy tutorial on securing osCcommerce applications is available here.

Adobe today issued more than a dozen security updates for its Acrobat and PDF Reader programs, including a feature update that will install future Reader security updates automatically. In addition, Adobe has shipped yet another version of its Flash Player software to fix a critical security flaw.

No doubt some will quibble with Adobe’s move toward auto-updating Reader: There is always a contingent in the user community who fear automatic updates will at some point force a faulty patch. But for better or worse, Adobe’s Reader software is the PDF reader software of choice for a majority of Windows computers in use today. Faced with incessant malware attacks against outdated versions of these programs, it seems irresponsible for Adobe to do anything other than offer auto-update capability to to Reader users more aggressively.

Adobe debuted this feature in April 2010, but at that the time Adobe decided to continue to honor whatever update option users had selected (the default has always been “download all updates automatically and notify me when they are ready to be installed”). With this latest update, Adobe will again prompt users to approve an auto-update choice, except this time the option pre-selected will be “Install Updates Automatically.”

I have long urged mere mortals (non-system administrators) to switch to a PDF reader that is less bulky and less targeted by cyber crooks and malware writers, such as Foxit, which also includes an auto-update mechanism. This advice is only reinforced when I read advisories like the one that shipped with today’s update, which may be decipherable by some but probably would completely mystify the average user:

“Adobe recommends users of Adobe Reader X (10.0.3) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1). For users of Adobe Reader 9.4.4 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1), Adobe has made available updates, Adobe Reader 9.4.5 and Adobe Reader 8.3. Adobe recommends users of Adobe Acrobat X (10.0.3) for Windows and Macintosh update to Adobe Acrobat X (10.1). Adobe recommends users of Adobe Acrobat 9.4.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4.5, and users of Adobe Acrobat 8.2.6 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.3.”

In short, this update fixes at least 13 security holes, including a zero-day vulnerability in Adobe’s Flash player software that the company patched last week (the same flaw is present in Reader and Acrobat). The patch also addresses the three flaws in Adobe Reader X for Windows that were previously fixed in the other supported versions of Adobe Reader and Acrobat. If you use either the Mac or Windows version of Adobe Reader or Acrobat, you should select “Help,” and then “Check for Updates.” If there is an update available, please apply it. Here’s hoping that Adobe’s auto-update feature will be timely (not wait weeks after a new version is available to update the installed product) and that it won’t foist additional software — browser add-ons, toolbars and security scanning tools that often have accompanied previous manual updates.

Adobe also shipped another version of its Flash Player software, the second security update for Flash in less than a week (last week Adobe pushed out an emergency update to fix a flaw that attackers were already exploiting). Adobe said it identified a critical flaw in Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.23 and earlier versions for Android. Adobe urges users of Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.181.26, available now. Adobe expects to make available an update for Adobe Flash Player 10.3.185.23 and earlier versions for Android before the end of the week of June 13, 2011.

To find out what version of Flash you have installed, click this link. Updates are available from the Flash player download page. Windows users who browse with something other than Internet Explorer will need to apply the Flash patch twice, once by visiting the download page with IE and a second time with Mozilla or Opera. Google Chrome users should already have the latest Flash update (automatically updated to Chrome version 12.0.742.100 for all platforms).

Update, 8:51 a.m. ET: Added information about another Flash update.

If it seems like you just updated your Flash Player software to plug a security hole that attackers were using to break into computers, you’re probably not imagining things: Three weeks ago, Adobe rushed out a new version to sew up a critical new security flaw. Today, Adobe issued a critical Flash update to eliminate another dangerous security hole that criminals are actively exploiting.

This new update addresses a vulnerability first detailed here at KrebsOnSecurity.com on Tuesday, and Adobe deserves credit for responding quickly with a patch. But there are few things that are simple about updating Flash, which ships in a dizzying array of version numbers and for many users must be deployed at least twice to cover all browsers. In addition, users may have to uninstall the existing version before updating to guarantee a trouble-free install. Also, Adobe Air will need to be updated if that software also is already installed. Finally, fixing this same vulnerability in Adobe Reader and Acrobat will require installing another patch, which won’t be out for at least another 10 days.

The new version fixes a flaw that exists in Flash v. 10.2.153.1 (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.2.156.12 and earlier versions for Android.

Adobe recommends that users of Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier versions for Chrome users) for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.2.159.1 (Adobe Flash Player 10.2.154.27 for Chrome users). Adobe recommends users of Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux update to Adobe AIR 2.6.19140. Adobe expects to make available an update for Adobe Flash Player 10.2.156.12 and earlier versions for Android no later than the week of April 25, 2011.

Not sure which version of Flash you have? Visit this version checker link to find out. Remember that if you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox and Opera. Updates are available by browsing with the appropriate browser to the Flash Player Download Center. Bear in mind that updating via the Download Center involves installing Adobe’s Download Manager, which may try to foist additional software. If you’d prefer to update manually, the direct installers for Windows should be available at this link.

If you run into problems installing this update, you’ll want to uninstall previous versions of Flash Player and then try again.

For those who are manually updating Flash without the download manager, the link to the Adobe Air updater (version 2.6) is here.

Keeping up with Flash and other security updates for plug-ins is one area where Google Chrome really shines. Google automatically updates Chrome with the newest version of Flash, and it typically does this at least one or two days before Adobe officially releases Flash updates (it looks like Google updated Chrome to fix this flaw on Thursday). According to Google’s Eric Davis, Chrome also sandboxes Flash for Chrome browsers running on Windows Vista and Windows 7. In addition, Chrome updates other out-of-date extensions automatically, and automatically updates its built-in PDF viewer, which also is sandboxed.

Speaking of PDF viewers, Adobe said in its advisory issued Tuesday that the same flaw that bedevils Flash also exists in the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems. The company says it plans to make an update available for Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh no later than the week of April 25, 2011. As it said in the case of the previous Flash flaw three weeks ago, “Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.”

Supermarket giant Kroger Co. is the latest major business to disclose that its customer email list has fallen into into the hands of spammers and scam artists.

In a communication sent to customers today, Kroger said its database of customer names and email addresses had been breached by someone outside the company. A call to the 1-800 number included in the missive connects to a lengthy recorded message warning customers about an increase in phishing attacks and spam targeting Kroger customers. Kroger’s media relations folks have not yet returned calls seeking comment.

The disclosure comes close on the heels of similar acknowledgments from McDonalds, Walgreens, Honda, deviantART, and most recently TripAdvisor and play.com. They appear to be the lingering fallout from a series of sophisticated, targeted attacks against dozens of email service providers (ESPs) that manage communications between some of the world’s top brands and customers that have opted-in to receive messages from these companies.

In most cases, the spam sent to customers of these companies pushed recipients to buy dodgy services and software. It’s not clear which email service provider may have leaked the Kroger customer information, but it seems that few — if any — ESPs have escaped injury.

According to the CEO of play.com, that breach involved an attack against marketing firm SilverPop Systems. SilverPop did not respond to requests for comment.

I called SilverPop today because a source forwarded a junk email message to me that appears to have been sent directly from SilverPop’s internal email systems (the text and headers from that email are here). The missive is an offer to download Adobe Reader, and recipients who click the included link are brought to a page that tries to charge them for the free software. This approach is almost identical to the scam emails sent out directly after the successful attacks against email services providers in November of last year.

My initial reporting on this attack against the email service provider industry indicates that most of the providers in the industry had client customer data stolen. I’m left wondering how long we have to keep watching this stream of disclosures trickle out, and how long it might take for email service providers like SilverPop to get their houses in order?

Update, 6:55 p.m. ET: A story in the Cincinnati Business Courier says the breach occurred at Epsilon, an email service provider headquartered in Dallas.

Update, 9:45 p.m. ET: Several readers have reported receiving similar disclosures today from gift store Brookstone.

Update, Apr. 2, 9:35 a.m. ET: Another reader wrote in to say he’d received a notification (PDF) from U.S. bank, which said the financial institution’s customer email list was stolen due to a breach at Epsilon.

Update, Apr. 2, 5:41 p.m. ET: The Epsilon breach extends to JP Morgan Chase, McKinsey Quarterly, and apparel chain New York & Co, according to new disclosures from those companies.

Update, Apr. 2, 8:45 p.m. ET: And the list of disclosures continues: The Home Shopping Network just issued a release (PDF) saying its customer list was compromised via the Epsilon breach.

Update, Apr. 2, 9:00 p.m. ET: Looks like we can add TiVo to the list, although the company’s disclosure doesn’t say which email service provider was responsible.

Update, Apr. 3, 9:11 a.m. ET: According to SecurityWeek.com, the brands impacted by the Epsilon breach include Capital One, City Market, Dillons, Jay C, Food 4 Less, Fred Meyer, Fry’s, King Soopers, Marriott Rewards, QFC, Ralphs, Ritz Carlton, and Smith Brands and Walgreens.

Adobe warned today attackers are exploiting a previously unknown security flaw in all supported versions of its Flash Player software. The company said the same vulnerability exists in Adobe Reader and Acrobat, but that it hasn’t yet seen attacks targeting the flaw in those programs.

In an advisory released today, Adobe said malicious hackers were exploiting a critical security hole in Flash (up to and including the latest version of Flash. The software maker warned the vulnerability also exists in Adobe Flash player 10.2.152.33 and earlier versions for Windows, Mac, Linux and Solaris operating systems (10.2.154.13 and earlier for Chrome users), Flash Player 101.106.16 and earlier for Android. In addition, Adobe believes the bug lives in the “authplay.dll” component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Mac systems.

Adobe warns that the security hole is currently being exploited via Flash (.swf) files embedded in a Microsoft Excel document delivered as an email attachment. Why someone would need to embed a Flash file in an Excel document is anyone’s guess.

The company says it is in the process of churning out a fix for the problem, which should be available during the week of March 21.

For those readers wondering whether the security fortifications built into Reader X block this attack, Adobe says you will have to take their word for it:  “Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.”  Brad Arkin, senior director of product security and privacy for Adobe, said in a blog post that providing an out-of-cycle update for Adobe Reader X would have delayed the current patch release schedule by about another week.

Now is a good time to point out that the “Noscript” plugin for Firefox will block Flash on sites that you have not specifically allowed to load Flash files. If you are looking for alternative PDF readers, there are several.

In other news, Google said Friday that it is seeing some highly targeted and apparently politically motivated attacks against users that abuse a publicly-disclosed vulnerability in Internet Explorer. Microsoft has not issued an official patch for this IE flaw yet, but if you browse the Web with IE, it would be a great idea to take advantage of the FixIt tool that Microsoft has made available to blunt the threat from this vulnerability.

Once or twice each year, some security company trots out a “study” that counts the number of vulnerabilities that were found and fixed in widely used software products over a given period and then pronounces the worst offenders in a Top 10 list that is supposed to tell us something useful about the relative security of these programs. And nearly without fail, the security press parrots this information as if it were newsworthy.

The reality is that these types of vulnerability count reports — like the one issued this week by application whitelisting firm Bit9 — seek to measure a complex, multi-faceted problem from a single dimension. It’s a bit like trying gauge the relative quality of different Swiss cheese brands by comparing the number of holes in each: The result offers almost no insight into the quality and integrity of the overall product, and in all likelihood leads to erroneous and — even humorous — conclusions.

The Bit9 report is more notable for what it fails to measure than for what it does, which is precious little: The applications included in its 2010 “Dirty Dozen” Top Vulnerable Applications list had to:

• Be legitimate, non-malicious applications;

• Have at least one critical vulnerability that was reported between Jan. 1, 2010 and Oct. 21, 2010; and

• Be assigned a severity rating of high (between 7 and 10 on a 10-point scale in which 10 is the most severe).

The report did not seek to answer any of the questions that help inform how concerned we should be about these vulnerabilities, such as:

• Was the vulnerability discovered in-house — or was the vendor first alerted to the flaw by external researchers (or attackers)?

• How long after being initially notified or discovering the flaw did it take each vendor to fix the problem?

• Which products had the broadest window of vulnerability, from notification to patch?

• How many of the vulnerabilities were exploitable using code that was publicly available at the time the vendor patched the problem?

• How many of the vulnerabilities were being actively exploited at the time the vendor issued a patch?

• Which vendors make use of auto-update capabilities? For those vendors that include auto-update capabilities, how long does it take “n” percentage of customers to be updated to the latest, patched version?

The reason more security companies do not ask these questions is that finding the answers is time-consuming and difficult. I should know: I volunteered to conduct this analysis on several occasions over the past five years. A while back, I sought to do this with three years of critical updates for Microsoft Windows, an analysis that involved learning when each vulnerability was reported or discovered, and charting how long it took Microsoft to fix the flaws. In that study, I found that Microsoft actually took longer to fix flaws as the years went on, but that it succeeded in an effort to convince more researchers to disclose flaws privately to Microsoft (as opposed to simply posting their findings online for the whole world to see).

I later compared the window of vulnerability for critical flaws in Internet Explorer and Mozilla Firefox, and found that for a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. In contrast, I found that Firefox experienced a single period lasting just nine days during that same year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to fix the problem.

Bit9′s vulnerability count put Google Chrome at the Number 1 spot on its list, with 76 reported flaws in the first 10 months of this year. I’d like to propose that — by almost any objective measure — Adobe deserves to occupy the first, second and third positions on this grotesque vulnerability totem pole, thanks to  vulnerabilities in and incessant attacks against its PDF Reader, Flash and Shockwave software.

For one thing, Adobe appears to have had more windows of vulnerability and attack against flaws in its products than perhaps all of the other vendors on the list combined. Adobe even started this year on the wrong foot: On Dec. 15, 2009, the company announced that hackers were breaking into computers using a critical flaw in Reader and Acrobat. It wasn’t until Jan. 7 — more than three weeks later — that the company issued a patch to fix the flaw.

This happened again with Adobe Reader for 20 days in June, and for 22 days in September. Just yesterday, Adobe issued a critical update in Reader that fixed a flaw that hackers have been exploiting since at least Oct. 28.

True, not all vendors warn users about security flaws before they can issue patches for them, as do Adobe, Microsoft and Mozilla: In many ways this information makes these vendors easier to hold accountable. But I think it’s crucial to look closely at how good a job software vendors do at helping their users stay up-to-date with the latest versions. Adobe and Oracle/Sun, the vendors on the list with the most-attacked products today, both have auto-update capabilities, but these updaters can be capricious and slow.

Google and Mozilla, on the other hand, have helped to set the bar on delivering security updates quickly and seamlessly. For example, I’ve found that when I write about Adobe Flash security updates, Google has already pushed the update out to its Chrome users before I finish the blog post. The same is true when Mozilla issues patches to Firefox.

Marc Maiffret, CTO at eEye Digital Security, also took issue with the Bit9 report, and with Google’s position at #1.

“While many vulnerabilities might exist for Chrome, there are very few exploits for Chrome vulnerabilities compared to Adobe,” Maiffret said. “That is to say that while Chrome has more vulnerabilities than Adobe, it does not have nearly the amount of malicious code in the wild to leverage those vulnerabilities.”

There is no question that software vendors across the board need to do a better job of shipping products that contain far fewer security holes from the start: A study released earlier this year found that the average Windows user has software from 22 vendors on her PC, and needs to install a new security update roughly every five days in order to use these programs safely. But security companies should focus their attention on meaningful metrics that drive the worst offenders to improve their record, making it easier for customers to safely use these products.

Adobe on Tuesday issued a critical update to patch at least two security holes in its PDF Reader and Acrobat software, including one flaw that was publicly disclosed earlier this month.

Updates are available for Windows, Mac and UNIX versions of Reader and Acrobat. The newest version is v. 9.4.1. If you use either of these products, take a moment to update them by clicking “Help,” then “Check for Updates.” Direct links to the new versions also are available in the Adobe advisory for this update. Note that this is not the sandboxed version (Adobe Reader X, or v 10.0) which is expected to be released at the end of this month.

Separately, the company is warning users not to fall for recent phishing and other e-mail scams targeted at Adobe customers looking for the Adobe Acrobat X, a new product being released this week. “Many of these emails require recipients to register and/or provide personal information. Please be aware that these emails have not been sent by Adobe or on Adobe’s behalf,” Adobe said.

Adobe Systems pushed out a critical security update for its Shockwave Player that fixes nearly a dozen security vulnerabilities.  The software maker also is warning that attackers are targeting a previously unidentified security hole in its Acrobat and PDF Reader products.

The Shockwave patch plugs 11 security holes in program, most of which attackers could use remotely to take control over an affected system.  Updates are available for Mac and Windows computers, from this link. The latest version is 11.5.9.615.  Before you blithely click through the process, keep a lookout for pre-checked “free” software that will install alongside this Shockwave update if you simply accept all the default options. When I tested the Shockwave installer, it included a “free PC performance scan from PC Tools’s Registry Mechanic. I opted to untick the check mark next to that option before proceeding with the rest of the install, which was otherwise uneventful.

Due to Adobe’s huge market share and apparent abundance of as-yet-undiscovered security holes, life with Adobe’s products can feel a bit like playing Whac-a-Mole: Just when you’ve patched one Adobe product it seems like there’s another one under assault by attackers. True to form, Adobe released a separate advisory today warning that hackers were targeting a critical flaw in the latest version of its Acrobat and PDF Reader products.

Adobe says the Acrobat/Reader vulnerability could cause a crash and potentially allow an attacker to take control of the affected computer, and that there are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. The flaw also exists in ubiquitous Adobe’s Flash Player, although the company said it is not currently aware of attacks targeting the latest version of Flash (v. 10.1.85.3).

Even so, Adobe plans to fix the issue in Flash before tackling it in Reader and Acrobat. The company says it plans to issue a fix for the bug in Flash by Nov. 9, 2010, but that it doesn’t expect to release an update to clobber the problem on Acrobat/Reader until the following week.

In other patch news, Mozilla has released an update that fixes a critical flaw that security experts warned this week was being used to attack Firefox users. Chances are good that your copy of Firefox (assuming it is semi-recent) has already downloaded this update, which brings Firefox to version 3.6.12 If you haven’t already been prompted to restart Firefox, click “Help” in the menu bar on top and look for an item that says “Apply Downloaded Update Now.” Otherwise, it’s available from Mozilla’s home page.