Late last week Adobe was struggling with the automation launch flaw, first discovered by Didier Stevens, and which Gottwals, a member of Adobe’s security team noted on the Adobe blog saying, ‘We are currently researching the best approach for this functionality in Adobe Reader and Acrobat,’ and it may introduce changes in a future update.
The full blog post in reference to the automatic launch issue can be found here. Gottwals also detailed directions for users to disable the automatic launch feature on his blog.
Adobe’s Brad Arkin also posted a note on the new automatic updater released today as well. His blog can be found in full here. Arkin stated on the blog, ‘Given this emphasis on staying up-to-date, we have been fielding questions about why the Adobe Download Center doesn’t always serve the most recent version of Adobe Reader. (For instance, when the April 13, 2010 update goes out, the latest version of Adobe Reader will be 9.3.2, while the Download Center will offer version 9.3.0.) Since the explanation does not fit into the 140 characters of a tweet, let me provide more insight into the reasoning here,’ and Arkin notes in brief the process of creating updates.
Meanwhile, today Adobe issued an advisory, identifying critical patches in Adobe Reader 9.3, and earlier versions for Windows, Mac and Unix, Adobe Acrobat 9.3.1 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.1 (and earlier versions) and Adobe Acrobat 8.2.1 (and earlier versions) for Windows and Macintosh.
Adobe fixed 15 security holes and noted, ‘The vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.’ The company said the update is critical to avoid the risk of remote code execution from hacked PDF files.