October 06, 2010, 11:05 AM — Adobe patched 23 security vulnerabilities in its Reader PDF viewer on Tuesday, most of them critical, including one that has been exploited by hackers for at least a month or possibly much longer.
In September, Adobe promised to speed up the delivery of today's patches, which were originally meant to ship next week, because attackers were already leveraging a bug in Reader's and Acrobat's font parsing.
Tuesday's fixes updates Reader and Acrobat to versions 9.4 and 8.2.5.
"Adobe is hitting customers with a double whammy today," Andrew Storms, director of security operations at nCircle Security, said via e-mail. "Adobe products continue to be at the top of the target list for malware writers."
"They patched a zero-day flaw in Flash in late September, and today they are releasing their quarterly Acrobat update ahead of schedule because of another zero-day," Storms said.
Tuesday's Reader and Acrobat updates also included a patch released more than two weeks ago for Flash , Adobe's media player. Both Reader and Acrobat include code to run Flash embedded in PDF documents.
Of the 23 bugs Adobe patched, the most notable was the one revealed Sept. 7 by Mila Parkour, an independent security researcher who reported the attack after discovering rigged PDFs attached to e-mail messages.
The vulnerability and attacks received the label "David Leadbetter" after the renowned golf swing coach whose name was used in the subject line of many of those e-mails.
The Leadbetter exploit was called "scary," "clever" and "impressive" by various security researchers in September, in part because it bypassed important defensive measures that Microsoft has built into Windows, ASLR (address space layout randomization) and DEP (data execution prevention).
Most of the attacks using the Leadbetter exploit were "targeted" -- aimed at specific individuals or companies -- rather than used in massive campaigns.
The exploit also relied on a stolen digital certificate to sign some of its files, another hint at a greater-than-average level of sophistication. Chet Wisniewski, a senior security adviser at security software vendor Sophos, compared the exploit to the Stuxnet worm, which also used pilfered certificates.