Adobe today released a fix for two critical security flaws in its Reader and Acrobat programs, even as a new report found that 80 percent of Web exploits at the end of 2009 came from malicious PDFs.
The update bumps up Reader and Acrobat versions 9.3 to 9.3.1, and is necessary for Windows, Macintosh and UNIX versions of Reader, and Windows and Macintosh version of Acrobat. If you're stuck with the 8.2 version of either program, an update to 8.2.1 will patch the flaws.
The first fixed vulnerability could "subvert the domain sandbox and make unauthorized cross-domain requests," according to Adobe's security bulletin, while the second could allow an attacker to crash the program and execute commands. To pick up the update, choose Help | Check for Updates from within either program. You may also see a pop-up notifiying you about the update after the program's weekly or monthly automatic check.
In the meantime, a new report from Web security company ScanSafe makes clear why you need to bother staying on top of the seemingly constant flow of critical updates for Adobe's programs. According to the Annual Global Threat Report for 2009, 80 percent of the "Web-encountered exploits" found by the company in the fourth quarter of 2009 were malicious PDFs. That's up from 56 percent in the first quarter of the year.
ScanSafe's findings match the message from plenty of other security companies: Crooks are going after Adobe apps. ScanSafe writes that the trend is "likely due to the increasing availability of vulnerabilities and the continued widespread use and acceptance of PDF files in the workplace," while antivirus maker F-Secure has gone so far as to recommend getting rid of Reader and using an alternate program.