Adobe Releases Emergency Fix for Critical Reader Flaws

Adobe on Tuesday released an emergency patch for several critical vulnerabilities in Adobe Reader, including the recent Adobe Flash bug and a separate flaw that was disclosed earlier this month.

The patch released Tuesday is outside of the company’s normal quarterly update schedule for Reader and was released early because of ongoing attacks against some of the vulnerabilities being fixed. The Flash vulnerability was disclosed two weeks ago and Adobe pushed out a patch for Flash quickly. The Reader version of the vulerability took a while longer to fix.

“A
critical
vulnerability has been identified

in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh,
Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for
Android; and the authplay.dll component that ships with Adobe Reader
9.4 and earlier 9.x versions for Windows, Macintosh and UNIX, and Adobe
Acrobat 9.4 and earlier 9.x versions for Windows
and Macintosh. This vulnerability (CVE-2010-3654) could cause a crash
and potentially allow an attacker to take control of the affected
system,” Adobe said in its advisory on the bug.

One of the other issues that Adobe fixed in Reader is a bug that can be used to cause a crash or denial of service. There are some reports that the flaw also can be used to execute remote code, although Adobe did not confirm that.