Adobe Reader and Acrobat Security Updates

Published: 2011-04-21
Last Updated: 2011-04-21 17:41:20 UTC
by Guy Bruneau (Version: 1)
5 comment(s)

Adobe released important security updates for Adobe Reader X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh OS. The bulletin is posted here.

"CVE-2011-0611, is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing."[1]


Affected software:

Adobe Reader X (10.0.1) and earlier versions for Windows
Adobe Reader X (10.0.2) and earlier versions for Macintosh
Adobe Acrobat X (10.0.2) and earlier versions for Windows and Macintosh

NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by CVE-2011-0611.


[1] http://www.adobe.com/support/security/bulletins/apsb11-08.html

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: Acrobat Adobe Reader
5 comment(s)

Comments

Regardless where I look, the latest version of Adobe Reader available for download for Windows 7 seems to be 10.0.1. Check for updates within as well as the Adobe Reader http download site AND the ftp site all show 10.0.1 as the most recent version. The FTP site shows Feb 8, 2011 as the most recent Reader X file (version 10.0.1)
What am I missing here?
The Adobe web site says that Reader X for Windows will not be patched until June:

"Because Adobe Reader X (10.x) Protected Mode would prevent an exploit of this kind from executing, we are planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011"
My bad -- I stopped reading the bulletin at, "Adobe recommends users of Adobe Acrobat X (10.0.2) for Windows" and went looking for it. Who'd expect Adobe to recommend 10.0.2 when it did not yet exist?
Acrobat X 10.0.2 is the version for Standard and Professional, not the reader. There is an update for Standard and Professional, which takes them to 10.0.3. 10.0.1 remains the latest version for the free reader.
Joey is right, but that announcement from Adobe is hardly a model of clarity. Probably the work of an Ivy League graduate :p

Diary Archives