As to the frequent patching Adobe has had to do on the programs, particularly to quash JavaScript-related bugs, Acre had an opinion, however. "Reader is huge, and it has a lot of functionality," he said Tuesday. "Big and complex software tends to have more implementation bugs than simple and easy-to-maintain software."
Shortly after Core Security published its advisory, Adobe followed with its own. The advisory offered links to updates to Reader 8.1.3 and Acrobat 8.1.3, and included terse descriptions of the other seven vulnerabilities patched Tuesday, which included additional input validation bugs, a pair of flaws in Reader's download manager and a vulnerability that had been published publicly last May.
Adobe said it had no reports of active attacks using any of the eight vulnerabilities, something Core Security echoed for the flaw it had reported. "We told them, 'Look, this is fine, we'll wait for your patch'," said Arce, referring to conversations with Adobe when the vendor postponed its patch. "But we said, 'If we detect it in the wild, we'll release [our advisory] so people will know what to do. So far we haven't seen any attacks."
Users running Adobe Reader or Acrobat 9 don't need to take any action to protect their machines.