Adobe will release its quarterly update to address security vulnerabilities in all versions of Reader and Acrobat.
Adobe plans to address several bugs in its Reader and
Acrobat software as part of its scheduled quarterly update.
All of the vulnerabilities being patched are rated critical,
said Adobe in its pre-notification
on June 9. Adobe is expected to roll out the quarterly
security updates for Adobe Reader and Acrobat on June 14, the same day as
Microsoft's large June Patch Tuesday release.
Adobe defines critical vulnerabilities as those which would
allow attackers to execute malicious code.
The patches will fix bugs in Adobe Reader and Acrobat X as
well as versions 9.4.3 and earlier for both Windows and Mac OS X, according to
the pre-notification. Adobe Reader for Android does not seem to be included in
This is an important update as "Adobe has some outstanding
vulnerabilities they have been waiting to address until the next scheduled
quarterly update," said Jason Miller, manager of the research and development group at VMware.
Adobe has released a number of patches in the past few
months closing zero-day vulnerabilities in Flash, Reader and Acrobat. The
company released an emergency patch just four days ago to close a universal
cross-site scripting vulnerability in Flash that was being actively exploited.
The company noted at the time that the cross-site scripting
flaw also affected the authplay.dll component in Reader and Acrobat. This
particular issue is supposed to be fixed for Reader and Acrobat X and earlier
10.x and 9.x versions for both Windows and Mac OS X in this update.
In March and April, Adobe issued out-of-band updates for all
versions except Reader and Acrobat X to close security holes that allowed
attackers to embed malicious Flash code into other documents. The company deferred
updates to these two applications to the scheduled quarterly update because
their sandbox architecture prevented the rogue Flash files from executing.
Since the sandbox effectively shut down any exploits from compromising the
system, the severity was lessened, according to Adobe.
"These vulnerabilities have been sitting idle," Miller said.
Large updates from Adobe and Microsoft are coming out on the
same day, and Oracle just released a fairly large update to fix remote control
execution vulnerabilities in Java. System administrators will have to "parse
through" a lot of information once all the updates are live, according to
Microsoft said in its June Patch Tuesday preview it will fix
nine critical and seven important vulnerabilities. Ten of the vulnerabilities
could result in remote code execution. While it is a "heavy" release,
Miller had expected to see an even larger update for June.
"We welcome, accept and look forward to the challenge of
supporting as many patches as possible," Miller said.
Administrators will have to "closely plan" how they will
test and deploy all these updates, according to Wolfgang Kandek, CTO for
"This will be a long hot summer for IT professionals and
there is just no room to slow down," said Paul Henry, security and forensic
analyst for Lumension.