Adobe released an update for the Adobe Reader and Acrobat product line for Windows, Mac OS X and Unix that fixes 23 vulnerabilities.
The new version fixes two 0-day vulnerabilities that have seen limited exposure in the wild:
- CVE-2010-2884 is a vulnerability in Adobe Flash, that was addressed last week in the standalone Flash player. Adobe Reader includes its own version of Flash and needs to be patched independently.
- CVE-2010-2883 is a vulnerability in the font handling of Adobe Reader and can be triggered by opening a malicious PDF document. Exploit code has already been made available in the some of the exploit tools, the attack is well documented and easy to integrate for malware authors.
The update is considered critical and should be applied as soon as possible.
Adobe also published a blog post detailing one the planned security features for the upcoming Adobe Reader 10 – the protected mode, a sandboxing technology similar to what Google Chrome is offering. It looks as if the sandboxing will be implmented first on the Windows OS family, there is no mention of "protected mode" for Mac OS X or Unix.