After F-Secure told the public to avoid using Acrobat Reader last Friday (story), Adobe immediately issued a statement on its Product Security Incident Response Team blog, saying that it was currently investigating the vulnerability reports and would update consumers with its findings.

Adobe quickly returned with an update, reporting that "shipping" versions of both Adobe Reader and Acrobat (9.1, 8.1.4, and 7.1.1, and earlier versions) were vulnerable to the issue described by F-Secure. The security fix, when released, would address all supported versions for Windows, Macintosh, and Unix.

"We are working on a development schedule for these updates and will post a timeline as soon as possible," the company said. "We are currently not aware of any reports of exploits in the wild for this issue." The company also said that it was in contact with antivirus and security vendors in order to "ensure the security of our mutual customers."

In the meantime, Adobe said that consumers should disable JavaScript in Adobe Reader and Acrobat. To do this, consumers go into the Preferences section in the Edit menu, select the JavaScript category, uncheck the "Enable Acrobat JavaScript" option, and click "OK." However, F-Secure's chief research officer Mikko Hypponen suggested that users abandon the software altogether, that Adobe Reader is the new Internet Explorer 6, and that consumers should find an alternate program to view and alter PDF files by accessing this website. "That's my advice," Hypponen said last Friday. "I don't expect a Christmas card from Adobe."

Still, with the upcoming fix, Adobe is proving to be on top of security issues. Hypponen even suggested that Adobe get into an update schedule much like Microsoft, releasing monthly patches on a regular basis. However, as Hypponen originally pointed out, most Acrobat and Reader consumers aren't fully aware that the programs require updating on a security level, and often avoid installing updates even when alerted by the software. A monthly update may make consumers more aware that Adobe products need constant mending much like the Windows operating system.

In addition to the current vulnerability, Adobe also said that it was looking into an issue listed as BID 34740 on the SecurityFocus website, a vulnerability that enables an attacker to execute malicious code remotely. "An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users," said SecurityFocus. Currently the vulnerability only affects Adobe Reader 8.1.4, and 9.1.

"We will continue to provide updates on these issues via the Security Advisory section of the Adobe web site, as well as the Adobe PSIRT blog," Adobe said. Stay tuned for more updates regarding both security issues.