On the same day that Microsoft unleashed a torrent of 34 patches on its customer base, Adobe on Tuesday published patches for 29 vulnerabilities in its Acrobat and Reader products as part of its new quarterly patch release program.
The Adobe vulnerabilities patched yesterday include a remote code-execution vulnerability found in Adobe Reader and Acrobat that is already being used by attackers. The flaw is a heap overflow and the SANS Internet Storm Center reports that it has been under attack in the wild since last week. Adobe’s security team said that there are some mitigations that can protect customers against the attacks, even before the patch is installed.
Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista will be protected from this exploit. Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible. In the meantime, Adobe is also in contact with Antivirus and Security vendors regarding the issue and recommends users keep their anti-virus definitions up to date.
Adobe has rated the huge batch of fixes as critical and recommends that customers install the package immediately.