Adobe has released updates for its Reader and Acrobat products in order to address several vulnerabilities that can be exploited to execute arbitrary code remotely.
The new 9.4.1 versions have only been released for Windows and Mac, the UNIX updates being scheduled to land on November 30.
Patched bugs include CVE-2010-4091, a memory corruption vulnerability disclosed as a zero-day at the beginning of the month.
Despite proof-of-concept exploit code being publicly available, no attacks exploiting this flaw have been detected in the wild so far.
There is reason to believe the issue was known in some hacking circles since November 2009, when details about it were published on Russian-language blogs.
Vulnerability research company VUPEN confirmed that in addition to triggering a denial of service condition the flaw can be exploited to execute arbitrary code on the target system.
A patch for CVE-2010-4091 was rushed into this out-of-band update as it was already being prepared for release in order to address an actively exploited Flash vulnerability.
Identified as CVE-2010-3654, the Flash issue was discovered in late October, when it began being exploited in the wild via maliciously crafted SWF content embedded in PDF documents.
The flaw affects Adobe Reader and Acrobat through the Flash interpreter integrated into the two products as a library called authplay.dll.
This latest release updates authplay.dll to the latest Flash Player version, released on November 5, which addresses a total of eighteen critical vulnerabilities.
Nevertheless, Adobe Reader 8.x users will remain vulnerable to CVE-2010-4091 until February 8, 2011, when the next quarterly updates are scheduled to land.
The latest version of Adobe Reader for Windows can be downloaded here.
The latest version of Adobe Reader for Mac can be downloaded here.