In reply to questions, Adobe said it evaluated each bug when it decided to either hold for the next regular update or ship it ASAP. "There are many factors that are being considered in each case, and each vulnerability is unique," said Brad Arkin, Adobe's director for product security and privacy, in an e-mail today. "Ultimately, the decision in each case comes down to what we can do to best mitigate threats to our customers."
Timing may have played a part, if Arkin's comments two months ago are still valid. At the time, he said that Adobe would be more likely to issue an out-of-band update early in the quarterly cycle. Adobe last patched Reader on Jan. 12 when it quashed eight bugs.
Adobe's patch-or-no-patch decision-making was questioned last December. At the time, Adobe said it would not patch a then-exploited Reader vulnerability for several weeks because to push out an emergency update would have disrupted its quarterly security schedule. Adobe took heat from some users and security experts for not immediately fixing a flaw that hackers were actively using.
Arkin did not address Computerworld's questions today about an apparent lack of consistency in how it distributes Reader and Acrobat updates, saying only that, "We were able to fix vulnerability CVE-2010-0188 at the same time, without delaying the fix for the Flash Player vulnerability."
Adobe Reader 9.3.1 and 8.2.1 can be downloaded using links in the security update's accompany bulletin.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is email@example.com.
Read more about security in Computerworld's Security Knowledge Center.