To complement the September 20th patch Adobe released for Flash Player, Adobe has now patched Adobe Reader and Acrobat. This is the quarterly update that would normally have been scheduled for next week but it was accelerated due to vulnerabilities actively being exploited in the wild. With this large patch, it is addressing 23 vulnerabilities known in Reader and Acrobat.
You can read the related Security Bulletin, APSB10-21, for more details as to the specific vulnerabilities addressed and download links to the updates for the various products this update serves.
These vulnerabilities, including CVE-2010-2883, referenced in Security Advisory APSA10-02, and CVE-2010-2884 referenced in the Adobe Flash Player Security Bulletin APSB10-22, could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users update to 9.4 immediately for security reasons. If you’re deploying over group policy, you’ll want to use this sequence to patch the respective applications:
Adobe Acrobat: 9.0 -> 9.1 -> 9.1.2 -> 9.2 -> 9.3 -> 9.3.2 -> 9.3.3 -> 9.4
Adobe Reader: 9.4 (released as a full .msi)
You can then follow the instructions I’ve published previously for deploying Adobe Acrobat 9.3.2 via group policy.
Now, it’s time for me to run off to work to deploy the patch to the machines I’m responsible for. Best of luck!