Adobe to rush out another critical Reader patch

A Flash Player flaw, patched Thursday, affects Reader and Acrobat as well

Just weeks after patching a critical flaw, Adobe Systems is rushing out another patch for its Reader and Acrobat software. The company also patched a critical issue in Flash Player Thursday.

The Flash Player flaw could be used by an attacker to trick a Web browser into doing things that it shouldn't, but it's not what is known as a remote-code execution flaw. This means it can't be used to directly install unauthorized software on a victim's computer, said Brad Arkin, Adobe's director of product security and privacy.

If the bug is exploited, "the attacker would be able to execute a general class of cross-site request forgery type of attacks," Arkin said. Adobe rates the issue as "critical."

Normally Adobe patches Reader and Acrobat in quarterly security updates, but Adobe is being forced to rush out next Tuesday's fix because these products are also susceptible to the Flash Player flaw, Arkin said. "We decided that we wanted to get the update for Flash Player out to users as soon as possible," he said. "We didn't want to wait any extra time to do a coordinated release."

In theory, hackers could learn about the bug by looking at the Flash Player patch and then use that information to attack Reader and Acrobat, but Adobe is giving them just a five-day window to complete this work. At present, Adobe isn't aware of any attacks that exploit this Flash Player bug, Arkin said.

Users who are worried about the Flash Player bug being exploited in Reader can mitigate the threat by opening documents outside of the browser, Arkin said.

Next week's Reader and Acrobat update will also patch another undisclosed issue in the PDF-reading software, he added.

The flaws affect Windows, Mac and Unix platforms.

Adobe's security has come under scrutiny over the past year as attackers have increasingly leveraged Reader and Acrobat flaws to hack into computers. Because Reader is installed on almost all desktop computers, a well-crafted Reader attack can affect more victims than one that targets Internet Explorer or Firefox.

Adobe's next scheduled Reader and Acrobat update is due April 13.

Also on Thursday, Adobe patched an "important" bug in its open-source BlazeDS messaging software.

Join the PC World newsletter!

Error: Please check your email address.

Tags adobe readersecurity patchsecurityadobe

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?