Adobe to patch critical Reader and Acrobat flaws

Adobe is one of the most often targeted software vendors

Adobe is to release several critical out-of-band updates on Thursday for its Reader and Acrobat software designed to patch vulnerabilities disclosed by security researchers at last month's Black Hat conference.

In an update to a security advisory issued at the beginning of this month, Adobe said that the patches target Adobe Reader 9.3.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 for Windows and Macintosh, and Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh.

The vulnerabilities could be used by hackers to compromise a victim's PC. Security firm Secunia said in an advisory that the at-risk versions of Acrobat/Reader bundle a vulnerable version of Adobe Player.

In addition, a flaw in TrueType could allow the running of malicious code embedded in a PDF document. "Successful exploitation may allow execution of arbitrary code," explained Secunia.

Adobe said that its next quarterly security update falls on 12 October, so the firm obviously rates these vulnerabilities important enough to patch them early.

The debate on how and when new vulnerabilities are disclosed gathered momentum recently when HP's TippingPoint announced a new initiative under which it will release all data on software flaws six months after notifying the vendor.

Security researchers who disclose vulnerabilities before the vendor responsible has had time to fix them are often pilloried by the industry.

Google engineer Tavis Ormandy was widely criticised for not giving Microsoft enough time to fix a flaw found in Windows Help and Support Center. Soon after, hackers were found to be exploiting the flaw in the wild.