As pre-announced last week Adobe has released updates to all versions and all operating systems of Acrobat and Reader to address two vulnerabilities describe in the now-updated advisory.
The first is the Flash vulnerability addressed last week, and is necessary because PDFs can host Flash content. It could subvert the domain sandbox and make unauthorized cross-domain requests. The second is a critical vulnerability that could cause a crash and potentially remote code execution. This latter vulnerability is credited to the Microsoft Vulnerability Research Program (MSVR).
Users should update to versions 9.3.1 or 8.2.1, the links to which are in the advisory. Alternatively, you can "Check for Updates" in the Help menu.
Coincidentally, a 2009 Global Threat Report from ScanSafe, a Cisco company, shows that in the 4th quarter of 2009 80% of all web-based exploits were malicious PDFs. It's not surprising that the PDF number is large, but this number is so large it's hard to believe, especially in as much as Flash exploits were 18%.
But the underlying issue is dead-on: PDFs and Flash are ground zero for malware on the web these days. Just by keeping up to date on your client software you can protect yourself against almost all of it.
