Adobe has released special out-of-cycle security updates to patch critical vulnerabilities in Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Mac.
The vulnerabilities, referenced in a security advisory issued on 11 April, could cause a crash and potentially allow an attacker to take control of the affected system.
The announcement was Adobe's second in four weeks concerning a zero-day vulnerability.
Adobe says there are reports that one of the vulnerabilities, CVE-2011-0611, is being actively exploited in the wild against both Adobe Flash Player and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an e-mail attachment.
Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing, the company says.
Adobe recommends that users of Adobe Reader X (10.0.2) for Mac update to Adobe Reader X (10.0.3).
For users of Adobe Reader 9.4.3 for Windows and Mac, Adobe has made available the update Adobe Reader 9.4.4.
Adobe recommends users of Adobe Acrobat X (10.0.2) for Windows and Mac update to Adobe Acrobat X (10.0.3). Adobe recommends users of Adobe Acrobat 9.4.3 for Windows and Mac update to Adobe Acrobat 9.4.4.
"Because Adobe Reader X Protected Mode would prevent exploits of the type targeting CVE-2011-0611 from executing, we are currently planning to address these issues in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for 14 June 2011," said Adobe.
Adobe Reader 9.x for Unix, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by CVE-2011-0611.