Critical hole in Reader: Adobe accelerates patch day
Adobe has announced plans to bring the release of a patch to close the critical security hole in the current versions of Reader and Acrobat forward to Tuesday, October 5th. As a result, no further patches will be released on the scheduled patch day which was due on October 12th. The hole has been known about since early September and allows attackers to gain control of users' systems via specially crafted PDF files.
For several weeks the vulnerability has been actively exploited to propagate malware, prompting Adobe to act now. The integrated Flash Player is also said to be vulnerable and will be updated to the latest version as part of the fix. Even if the Flash Player installed on a system has already been updated, Adobe Reader and Acrobat still access their own older versions which are managed separately by the vendor.
As a workaround, Microsoft's EMET tool can provide protection against infected PDF files. Further details on EMET and the collaboration between Adobe and Microsoft on protection against online threats are available in a Microsoft news article.
The repeated need for early releases adds further weight to the question of whether Adobe's scheduled quarterly update cycle should generally be shortened or even abandoned in favour of a more timely response providing increased user security.