If you use Adobe Reader (I don't, I use the also-free Foxit Reader in an attempt to reduce my attack surface ;-)), you should patch NOW. Here are links to several pages about the new Adobe Reader patches:
Adobe - Security Bulletins: APSB10-07 Security updates available for Adobe Reader and Acrobat
ZDNet reported this also, with a very unflattering headline:
Zero Day | ZDNet.com: Adobe plugs more gaping holes in PDF Reader
A related story on ZDnet's Security blog today claims that Malicious PDF files comprised 80 percent of all exploits for 2009
Adobe - Security Bulletins: APSB10-07 Security updates available for Adobe Reader and Acrobat
A critical vulnerability has been identified in Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh. As described in Security Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1. (For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3.1, Adobe has provided the Adobe Reader 8.2.1 update.) Adobe recommends users of Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.1. Adobe recommends users of Acrobat 8.2 and earlier versions for Windows and Macintosh update to Acrobat 8.2.1.
ZDNet reported this also, with a very unflattering headline:
Zero Day | ZDNet.com: Adobe plugs more gaping holes in PDF Reader
Adobe today released an out-of-band security update to patch a pair of gaping holes that expose hundreds of millions of computer users to remote code execution attacks.
The vulnerabilities are rated “critical” and affect Adobe Reader and Adobe Acrobat on all platforms — Windows, Mac and Linux.
This PDF Reader/Acrobat update falls outside of the company’s scheduled quarterly patch cycle. It is not yet clear why Adobe opted for an out-of-band patch but the presence of Microsoft’s security research team as a flaw-finder on this bulletin suggests Redmond may have pressured Adobe to rush out a fix.
Adobe insists there are no active attacks or exploit code publicly available.
There is also a clear connection to a patch released last week for Adobe Flash Player. That Flash patch covered a hole (CVE-2010-0186) that could subvert the domain sandbox and make unauthorized cross-domain requests.
In today’s Reader/Acrobat bulletin, the same vulnerability is referenced as affecting Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh.
A related story on ZDnet's Security blog today claims that Malicious PDF files comprised 80 percent of all exploits for 2009
A newly released report shows that based on more than a trillion Web requests processed in 2009, the use of malicious PDF files exploiting flaws in Adobe Reader/Adobe Acrobat not only outpaced the use of Flash exploits, but also, grew to 80% of all exploits the company encountered throughout the year.
No comments:
Post a Comment