Adobe Systems Inc. issued a massive update Tuesday, repairing nearly two dozen vulnerabilities to its Reader and Acrobat software, including a zero-day flaw that attackers are targeting in the wild.
The Adobe fix was issued a week ahead of its regular quarterly patch release for Reader and Acrobat to address a dangerous Flash Player vulnerability that it fixed Sept. 20. The hole also affects the Flash components in Reader and Acrobat. In a security bulletin addressing the flaw Adobe said it was aware of ongoing attacks against those programs.
The critical flaw enables an attacker to remotely cause Flash Player to crash and execute malicious code to take control of a victim's machine. The Flash Player hole surfaced in September when exploits were made widely available.
In addition, 22 other vulnerabilities were repaired with Tuesday's release. Adobe also fixed a second critical vulnerability, which affects Flash, Reader and Acrobat and could be used by an attacker to crash the applications and gain control of a victim's machine. Adobe said it was unaware of any active attacks targeting that hole.
Adobe urges users of Adobe Reader and Acrobat 9.3.4 and earlier or Adobe Reader and Acrobat 8.2.4 or earlier for Windows and Macintosh to upgrade to the latest versions. Adobe Reader and Acrobat for UNIX systems are also affected by the update.
Adobe said the next quarterly security updates for Adobe Reader and Acrobat are scheduled for Feb. 8, 2011.