Maybe it’s not such a good idea to only plan security updates once a quarter. Adobe, who began using such a schedule last year, finds itself with critical flaws in Flash and Reader that need to be updated quickly. The company rushed out an update to Flash, for a vulnerability which “could subvert the domain sandbox and make unauthorized cross-domain requests.” This issue affects both Flash and Air. (Download links for these products can be found on the page linked above.)
As for Acrobat and Reader, Adobe issued a security bulletin saying:
Adobe is planning to release an update for Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh to resolve critical security issues, including the Flash Player issue described in Security Bulletin APSB10-06. Adobe expects to make these updates available on February 16, 2010.
While the Acrobat bug isn’t public, a Macworld article says, “In theory, hackers could learn about the bug by looking at the Flash Player patch and then use that information to attack Reader and Acrobat, but Adobe is giving them just a five-day window to complete this work.” But “Adobe isn’t aware of any attacks that exploit this Flash Player bug.”
So, hey, just use Preview instead of Adobe’s products, and update Flash as soon as possible. Flash objects can be embedded on any web site, and you may not even know that Flash is being used.