Two security notes

Adobe Reader 9.1 is now available. It addresses a type of “malformed PDF can crash” exploit which was heavily blogged two weeks ago. I’d recommend installing it… although I haven’t seen much discussion of actual exploits, the hack itself was promoted enough that it might spur people to try. (Those early press accounts also had a good deal of inaccurate information… the Adobe Security team is circumspect in what they say, and remains the best resource on issues like this.)

If you’re on a locked machine where you must use Reader 8.x or 7.x, we expect the updaters for those versions online next week.

Also, last week’s Flash Player update did have auto-update turned on… I checked after reading this article at The Register which wondered. You can set your own Player preferences for how frequently to check for updates — the default is checking every 30 days. If you use both IE and some other browser on a PC, then you’ll indeed need to update both wrappers for the common Adobe Flash Player — that’s the way the browsermakers have set it up. (The article at The Register invited comments, but it’s hard to justify a site-specific password which doesn’t edit anonymous comments.)