Patch Schedule Announced for Actively Exploited Adobe Reader Vulnerability
Adobe plans to ship a fix for the actively exploited critical vulnerability in Adobe Reader and Acrobat during the week of October 4.
The remote code execution flaw, identified as CVE-2010-2883, was
confirmed by Adobe last Wednesday after being spotted in attacks infecting users with malware.
The exploit employs advanced techniques such as return-oriented programming, which defeat ASLR and DEP protection in Windows Vista and 7.
In addition, the the payload
involves dropping a piece of malware that was digitally signed with a valid certificate stolen from a US-based credit union.
"
We are in the process of finalizing a fix for the issue and expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010," Adobe says in the associated
advisory.
This represents an accelerated release of the quarterly update originally scheduled for October 12 and will also address a separate critical vulnerability affecting the Adobe Reader Flash interpreter (authplay.dll).
This second vulnerability (CVE-2010-2884) is also
being exploited at the moment to infect computers and will be fixed in Flash Player in around two weeks.
