Adobe closes numerous critical holes in Reader and Acrobat - Update
Adobe has released updates for its Flash and Shockwave Players, and Reader and Acrobat PDF viewers, addressing multiple vulnerabilities. All of these security updates are rated as critical by the company as they could be exploited by a remote attacker to take control of a victim's system and execute malicious code.
The updates for Reader and Acrobat X close a total of 20 security holes. These include stack and heap buffer overflows, and a number of memory corruption vulnerabilities, and could result in remote code execution. Reader and Acrobat X 10.1.3 and earlier, and versions 9.5.1 and earlier of Acrobat and Reader 9.x for Windows and Mac OS X are vulnerable; all users are advised to upgrade to versions 9.5.2 or 10.1.4. Adobe says that updating Windows Reader and Acrobat 9.5.1 or earlier is priority 1 issue; this suggests that there are attacks using the vulnerabilities already taking place and users should update within 72 hours.
According to Adobe, Flash Player 11.3.300.270 and earlier versions for Windows, Mac OS X and Linux are vulnerable to a critical flaw which is already being exploited in the wild "in limited targeted attacks" through malicious Word documents. Updating to version 11.3.300.271 on Windows and Mac OS X, or 18.104.22.168 on Linux fixes the problem. Users can check to see which version of Flash they currently have installed by visiting the Adobe Flash Player web page. Google has already included the Flash Player update in version 21.0.1180.79 of its Chrome web browser. The company notes that Flash Player for Android, which will no longer be available in the Google Play store as of today, is not affected by the vulnerability.
A total of five memory corruption problems that could lead to arbitrary code execution have also been resolved in the company's Shockwave Player. Versions up to and including 22.214.171.1245 are affected; Shockwave Player 126.96.36.1996 for Windows and Mac OS X corrects these issues. The updates can be downloaded from get.adobe.com/shockwave.
Update: According to Google employees Mateusz "j00ru" Jurczyk and Gynvael Coldwind, the current release of Adobe Reader for Linux is also vulnerable to the critical holes closed in the Windows and Mac OS X updates. Adobe has told the researchers that the Linux version of Reader will be fixed in an upcoming release, though details as to when the update will be available were not provided. Also, there are still 16 unpatched vulnerabilities in Reader across the Windows and Mac OS X versions.