Beating their own deadline set 6 days ago to have the latest Flash vulnerability patched in Acrobat X and Acrobat/Reader 8 & 9 by the week of April 25th, Adobe released Acrobat 10.0.3 (.pdf) and Acrobat/Reader 9.4.4 (.pdf) today.
Critical vulnerabilities have been identified in Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems. These vulnerabilities, including CVE-2011-0611, as referenced in Security Advisory APSA11-02, could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that one of the vulnerabilities, CVE-2011-0611, is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.
Adobe recommends users of Adobe Reader X (10.0.2) for Macintosh update to Adobe Reader X (10.0.3). For users of Adobe Reader 9.4.3 for Windows and Macintosh, Adobe has made available the update, Adobe Reader 9.4.4. Adobe recommends users of Adobe Acrobat X (10.0.2) for Windows and Macintosh update to Adobe Acrobat X (10.0.3). Adobe recommends users of Adobe Acrobat 9.4.3 for Windows and Macintosh update to Adobe Acrobat 9.4.4. Because Adobe Reader X Protected Mode would prevent exploits of the type targeting CVE-2011-0611 from executing, we are currently planning to address these issues in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011. Today’s security updates are out-of-cycle updates.
You can download the updates from Adobe’s FTP server.
Windows:
Mac OSX:
For more information about these patches, see the security bulletin that accompanied today’s update.