Most of the 29 Reader and Acrobat flaws were rated “critical,” which Adobe defines as “a vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware.” All but three of the flaws affected Reader X, the upgraded version that includes sandbox technology.
Adobe updated Flash to version 10.2 and plugged 13 critical bugs, 8 of which were memory corruption flaws. “These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.”
The company fixed 21 critical flaws in Shockwave; “these vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.”
Adobe fixed five “important” security flaws in Cold Fusion, which “could lead to cross-site scripting, Session Fixation, CRLF injection and information disclosure.”
Andrew Storm, director of security operations for nCircle Security, said that he was “surprised by the coordination” of the Adobe security updates. "It almost seemed like Adobe had their patch cycle for a change”, he told Computerworld.
Adobe’s updates tend to be a “take it or leave kind of thing, it's very black and white. Pretty much everything is remote code and we have no details to provide insight or decent mitigation if you have to hold off for some reason or another", he said.