Adobe zero-day patch won't arrive until 12 January

patched computer

A zero-day exploit for Acrobat and Reader won't be fixed until the middle of next month, Adobe has said.

Rather than develop an immediate fix, the company will simply include it as part of its regular patching cycle, due 12 January.

On its security blog, Adobe said it considered the best route to take, saying it could "stop everything else and start work immediately on an out-of-cycle security update to resolve this vulnerability with a one-off fix."

But that update would take two to three weeks. "Unfortunately, this option would also negatively impact the timing of the next quarterly security update for Adobe Reader and Acrobat scheduled for January 12, 2010," the firm said.

Instead, the fix will arrive with the regular patches.

Adobe noted that there are other security fixes in the patch that it wants to get out on schedule."The delay an out-of-cycle security update would force on the regularly scheduled quarterly release represents a significant negative," it said.

"Additionally, an informal poll we conducted indicated that most of the organizations we talked with were in favor of the second option to better align with their schedules," it added.