Adobe has released updates to Adobe Acrobat and Reader, fixing a critical vulnerability discovered last week in Adobe Flash 10.2. The vulnerability, which has since been fixed in a Flash update, could potentially allow an attacker to take control of a system by triggering a crash. Acrobat and Reader were also affected via authplay.dll which is included in the products, as the vulnernability may be triggered by embedded Flash in a PDF document. Another exploit, which has not been used in-the-wild, has also been patched. Adobe's patch comes a few days ahead of schedule.
The affected products are:
- Adobe Reader X 10.0.1 and earlier versions for Windows
- Adobe Reader X 10.0.2 and earlier versions for Mac OS X
- Adobe Acrobat 10.0.2 and earlier versions for Windows and Mac OS X
Unaffected products are:
- Adobe Reader 9.x for Unix
- Adobe Reader for Android
- Adobe Reader and Acrobat 8.x
According to Computerworld, a few in-the-wild cases of malicious PDFs containing the exploit have been spotted already. Documents containing the exploit are being circulated via emails purporting to come from New York Times editors. claim to offer information about China, Russia, the Middle East, and the Obama administration. The culprits are believed to be from servers in Utah and China. The vulnerability's impact on Adobe Reader X for Windows is limited, as the Windows version has an exclusive Protected Mode that limits damage from exploit code.
The security advisory may be read here. Mac users may download the update here, and Windows users of Adobe Reader 9.x may download the update here. Please note that Windows users of Adobe Reader X will have to wait until the next quarterly update scheduled for mid-June, and thus cannot download an update for the time being.