Adobe have just released an out-of-cycle patch to address a critical vulnerability (CVE-2011-0609) in Adobe Reader and Acrobat for Windows and Mac. Naked Security recommends that all users update now.
The vulnerability can causes system crashes and potentially allow an attacker to take control of the affected computer.
There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.
At this time, Adobe is not aware of attacks targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode would prevent an exploit of this kind from executing. Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue.
Sophos customers should visit Sophos’s support article, Vulnerability: APSA11-01 – Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat, for more information and advice.
Where to update:
Adobe Reader 9.x users on Windows:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.
Adobe Reader users on Macintosh:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.
Acrobat Standard and Pro users on Windows:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.
Acrobat Pro Extended users on Windows:
http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.
Acrobat Pro users on Macintosh:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.
The next quarterly security updates for Adobe Reader and Acrobat are currently scheduled for June 14, 2011.
They've patched v9, and they've patched v10 on the Mac, but they've decided to leave the vulnerability in v10 for Windows until June:
"… we are planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011"
Hey, what's the worst that could happen?!