Adobe promises patch for zero-day PDF bug by next Tuesday

Adobe has promised to patch the newest zero-day vulnerability in its popular Adobe Reader software no later than next Tuesday, potentially adding another update to the month's busiest patch day for the second time in three months.

May 12 is also Microsoft's regularly-scheduled monthly Patch Tuesday.

On Friday, Adobe's security team announced that it would issue updates to Adobe Reader and Acrobat -- versions 9.x, 8.x and 7.x for Windows, 9.x and 8.x for Mac and Linux -- by next Tuesday.

"We are in the process of fixing the issue," said David Lenoe, the company's security program manager, in a blog post, referring to the unpatched Reader bug that Adobe acknowledged April 28.

"Additionally, we have confirmed the second vulnerability (CVE-2009-1493) for Adobe Reader for Unix," he added, referencing a second bug that was reported last week. "This issue will be resolved in the upcoming Adobe Reader for Unix updates. Currently, we have not been able to reproduce an exploitable scenario for Windows and Macintosh, but we will continue to investigate."

In lieu of a patch, Adobe had earlier urged users to disable JavaScript in Reader and Acrobat to protect against attack. Both vulnerabilities -- the first, which affects Adobe's Windows, Mac and Linux software, and the second that apparently only affects Linux -- have gone public with supporting proof-of-concept attack code.

Adobe's pace has quickened since the last Reader zero-day vulnerability. Adobe acknowledged a critical bug on Feb. 19, but waited until Feb. 24 to recommend disabling JavaScript and fixed the flaw on March 10 for Reader and Acrobat 9.x on Windows and Mac. Although the 9.x fix was to release March 11, Adobe finished its work and unveiled it a day early, even though that was also Microsoft's patch day for the month.

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine