Adobe Reader, Acrobat updates fix 17 critical holes

Adobe on Tuesday released updates for Reader and Acrobat that plug 17 critical holes, including one being exploited in the wild to take control of computers and one that could be used to launch an attack using social engineering and PDF files.

Adobe warned about the vulnerability being used in attacks, which also affected Flash Player, in early June and plugged the hole in Flash on June 10.

Meanwhile, the PDF vulnerability was made public in late March by security researcher Didier Stevens, who fashioned a proof-of-concept attack that relied on the "/launch" functionality. Another researcher at NitroSecurity took advantage of the same flaw to create a proof-of-concept attack about a week later.

"We added functionality to block any attempts to launch an executable or other harmful objects by default," Adobe's Steve Gottwals, wrote in a blog post on Tuesday. "We also altered the way the existing warning dialog works to thwart the known social engineering attacks."

The security updates are for Adobe Reader 9.3.2 for Windows, Mac, and Unix, Adobe Acrobat 9.3.2 for Windows and Macintosh, and Adobe Reader 8.2.2 and Acrobat 8.2.2 for Windows and Mac, according to the security bulletin.

These updates will take the place of the quarterly security update that was scheduled for July 13, Adobe said. The next quarterly update is scheduled for October 12.

Meanwhile, Adobe said that when patches are available it will provide immediate updates on its Download Center for the most popular languages and operating systems starting July 13.

The company also said its new Updater system, launched in April, seems to be helping customers keep their software up to date better than the old system.

"When we compared the new updater against the older technology, we found that our users were much more likely to update using the new Adobe Reader Updater," Gottwals wrote. "Our data showed that the user population adopted the last update roughly three times faster than previous updates."