Adobe will release a round of patches on Tuesday for its Reader and Acrobat products, and also has issued a separate advisory that it is working on a update for a vulnerability in ColdFusion that the company said is currently being exploited.
“We are currently evaluating the reports and plan to issue a security advisory as soon as we have determined mitigation guidance for ColdFusion customers and a timeline for a fix,” Adobe’s Wendy Poland said in an advisory.
The vulnerabilities affect ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Mac and Unix.
A ColdFusion hotfix was included in Adobe’s December patch release. ColdFusion 10 and earlier versions for Windows, Mac and Unix were patched for a sandbox permissions vulnerability in shared hosting environments.
Adobe spokesperson Wiebke Lips said none of the vulnerabilities being patched on Tuesday are being actively exploited in the wild.
Vulnerabilities in Adobe Reader and Acrobat versions 11.0.0 and earlier are being patched next week. Adobe puts the most severe rating on vulnerabilities in versions 9.5.2 and earlier on Windows for both products. Adobe said this rating is given to vulnerabilities which have a higher risk of being targeted. The company recommends these patches be applied within 72 hours of release.
This is the third month that Adobe’s patch releases have coincided with Microsoft’s, which are made available the second Tuesday of every month.
Last month, a spate of Flash Player vulnerabilities were patched, repairing buffer overflow and memory corruption flaws. In November, Adobe repaired critical vulnerabilities in Flash Player and AIR.