Update: The original version of this article listed the vulnerability report as appearing on 2012-02-12 and Adobe's workaround on 2013-02-13, more than a year later. It was, in fact, the next day: the vulnerability report was dated 2013-02-13. Thanks to Naked Security reader Joerg for spotting the mistake. (Corrected 2013-02-21T08:37Z)
Adobe has released the emergency update for Reader and Acrobat that it promised late last week.
The company decided to get a move on to deal with a newly-reported vulnerability that was actively being exploited, at least on Windows and the Mac.
The timeline has been pretty swift:
- 2013-02-12: Bug reported in a blog post by FireEye. Details scant.
- 2013-02-13: Adobe publishes a security bulletin, including a workaround for Windows users.
- 2013-02-17: (Weekend) Adobe announces patch "next week."
- 2013-02-20: Patch is released.
The fixes are available for all affected platforms, so Windows, Mac and Linux users should all upgrade.
Adobe rates these updates at a priority of 1 on the Windows and Macintosh platforms, for all supported product versions (9, 10, 11).
That's because the vulnerability was not just known, but actively being exploited.
On Linux, the rating is 2, which means that vulnerabilities exist in the product, but no exploits are known.
How quickly should you act?
Adobe's recommendations are to get Ones done in three days, or "as soon as possible," and Twos within a month, which it describes as "soon."
If you're still labouring away under a change control regimen that makes this sort of responsiveness difficult, it's high time to work at speeding things up.
In this case, Adobe has bust a gut to get its patch done quickly and within the promised timeframe.
You may as well take advantage of Adobe's new-found velocity!
PS. If you have your Reader or Acrobat installation set to update automatically, it will. But you can fast-forward the update if you want, by using Help | Check for Updates.