Adobe patched an impressive 23 vulnerabilities in Reader and Acrobat today, setting a record for this year. Computer World reports that the patches are mostly critical and include one for a flaw that has been actively exploited for a month or more. This update comes to us a week ahead of schedule after Adobe promised to move the date up for this patch to address a new vulnerability in font parsing that is seeing attacks.
Recently Adobe has had to put out quite a few zero-day patches, with an attack on Flash in September that required an out-of-band patch and now this new font bug. The patch put out today includes the Flash patch as well because Reader and Acrobat include code to run Flash embedded in pdfs.
The most notable patch is for the exploit found in early September by Mila Parkour. This exploit was lauded as “scary” and “clever” because it bypassed built-in Windows protections with ease and used a stolen signed digital certificate. The exploit was later named after David Letterbeater who was the subject of many rigged emails as part of the attack.
Adobe notes that 20 of the vulnerabilities being patched could lead to code execution where hackers could hijack the computer. Unlike Microsoft, Adobe does not assign official threat ratings to patches. Two of the remaining bugs could be used to crash Reader or Acrobat and the last is a bug just for the Linux version of Reader. To update your copy of Reader or Acrobat fire up the auto-updater or grab the link from the official Adobe advisory.