Adobe Preps Quarterly Security Update for Reader, Acrobat

Adobe plans to address several bugs in its Reader and Acrobat software as part of its scheduled quarterly update.

All of the vulnerabilities being patched are rated critical, said Adobe in its pre-notification Security Advisory on June 9. Adobe is expected to roll out the quarterly security updates for Adobe Reader and Acrobat on June 14, the same day as Microsoft’s large June Patch Tuesday release.

Adobe defines critical vulnerabilities as those which would allow attackers to execute malicious code.

The patches will fix bugs in Adobe Reader and Acrobat X as well as versions 9.4.3 and earlier for both Windows and Mac OS X, according to the pre-notification. Adobe Reader for Android does not seem to be included in the update.

This is an important update as “Adobe has some outstanding vulnerabilities they have been waiting to address until the next scheduled quarterly update,” said Jason Miller, manager of the research and development group at VMware.

Adobe has released a number of patches in the past few months closing zero-day vulnerabilities in Flash, Reader and Acrobat. The company released an emergency patch just four days ago to close a universal cross-site scripting vulnerability in Flash that was being actively exploited.

The company noted at the time that the cross-site scripting flaw also affected the authplay.dll component in Reader and Acrobat. This particular issue is supposed to be fixed for Reader and Acrobat X and earlier 10.x and 9.x versions for both Windows and Mac OS X in this update.

In March and April, Adobe issued out-of-band updates for all versions except Reader and Acrobat X to close security holes that allowed attackers to embed malicious Flash code into other documents. The company deferred updates to these two applications to the scheduled quarterly update because their sandbox architecture prevented the rogue Flash files from executing. Since the sandbox effectively shut down any exploits from compromising the system, the severity was lessened, according to Adobe.

“These vulnerabilities have been sitting idle,” Miller said.

Large updates from Adobe and Microsoft are coming out on the same day, and Oracle just released a fairly large update to fix remote control execution vulnerabilities in Java. System administrators will have to “parse through” a lot of information once all the updates are live, according to Miller.

Microsoft said in its June Patch Tuesday preview it will fix nine critical and seven important vulnerabilities. Ten of the vulnerabilities could result in remote code execution. While it is a "heavy" release, Miller had expected to see an even larger update for June.

“We welcome, accept and look forward to the challenge of supporting as many patches as possible,” Miller said.

Administrators will have to “closely plan” how they will test and deploy all these updates, according to Wolfgang Kandek, CTO for Qualys.

“This will be a long hot summer for IT professionals and there is just no room to slow down,” said Paul Henry, security and forensic analyst for Lumension.