Adobe promises fixes for Reader and Acrobat

Adobe has said it will issue updates to its Reader and Acrobat products on Tuesday May 12, in a bid to fix recently discovered critical vulnerabilities.


At the end of April, Adobe issued an advisory warning about a JavaScript flaw in all currently supported versions of Adobe Reader, its popular PDF-viewing software. The vulnerability could let an intruder remotely execute code on a user's machine, causing the application to crash and potentially allowing the attacker to take control of the affected system.

Last week, David Lenoe from Adobe's Product Security Incident Response Team (PSIRT), blogged that the company was in the process of fixing the issue and said the relevant product updates are scheduled to appear by May 12.

"Adobe plans to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X," Lenoe wrote.
The software maker has also confirmed the existence of another vulnerability, in Adobe Reader for Unix, Lenoe said. That flaw will also be remedied in the scheduled updates for Adobe Reader for Unix, he noted.

Lenoe advised users waiting for the updates to disable JavaScript in Reader and Acrobat in the meantime.
The vulnerabilities are the latest in a string of security flaws found in Adobe's products. In March, Adobe patched a zero-day flaw in Reader that had led to exploits in the wild, while in February it had to issue a patch for a critical vulnerability in the Flash player.

In his post last week, Lenoe said that Adobe's security team had been unable to "reproduce an exploitable scenario for Windows and Macintosh", but said it would continue to investigate the issue.