Adobe patches Reader and Acrobat for "critical" vulnerabilities

In the first of its regular security updates, Adobe on Tuesday patched several “critical” vulnerabilities it has identified in Adobe Reader 9.1.1 and Acrobat 9.1.1, and earlier.

In a security advisory, Adobe said that the vulnerabilities would cause applications to crash and potentially enable an attacker to take control of an affected system. None of the flaws are being actively exploited, according to Adobe.

The advisory said that users of  Reader and Acrobat should update their products to versions 9.1.2, 8.1.6, or 7.1.3. The updates apply to Windows and Macintosh, but updates for Adobe Reader on UNIX platforms will have to wait until June 16.

Specifically, the updates address issues such as stack overflow, memory corruption and heap overflow vulnerabilities that could potentially lead to code execution.

Adobe classifies a vulnerability as “critical” if, when exploited, it would “allow malicious native-code to execute, potentially without a user being aware.”

In May, Adobe announced plans to issue security fixes for Reader and Acrobat on a scheduled basis starting this summer. The move mirrors similar decisions by other leading software providers such as Microsoft and Oracle, which have moved to monthly and quarterly release cycles, respectively.

"This is the first quarterly security update for Adobe Reader and Acrobat as described in our May 20 blog post," Wendy Poland, a security response program manager, wrote Tuesday in a post on the company's Product Security Incident Response Team (PSIRT) blog, "and incorporates the initial output of code hardening efforts."

"Adobe is not currently aware of any exploits in the wild for these issues," she added.