Adobe on Thursday began serving up security updates for Adobe Reader and Acrobat slightly ahead of schedule, but not a moment too soon. The out-of-cycle updates address critical vulnerabilities that are being actively exploited in the wild, enough so that it's drawn the attention of the Department of Homeland Security/US-CERT. Left unpatched, it's possible for remote attackers to execute arbitrary code and take control of an infected system, giving them unfettered access to user data, as well as being able to crash their machine.
Adobe owned up to the fact that one of the vulnerabilities, CVE-2011-0611, is being actively exploited against both Adobe Flash Player, and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Excel (.xls) file delivered as an email attachment targeting the Windows platform.
This is the second time in a four week span that Adobe acknowledged a Flash zero-day vulnerability that hackers were currently using. As for the current security flaw, Adobe shipped a patched version of Flash Player a week ago today and said it would fix Reader and Acrobat during the week of April 25th, as both rely on a vulnerable component of Flash.