Thursday, August 19, 2010

Adobe Issues Acrobat, Reader Security Patches

Well, Adobe shipped an "emergency" set of patches for Adobe Reader 8.x and 9.x.  If you are updating manually you can get them here: - New downloads.  So far they appear to be working fine on all the systems where I have installed them.

Adobe ships critical PDF Reader patch | ZDNet
Adobe has shipped a security bulletin with patches for two critical vulnerabilities in its PDF Reader and Acrobat software products.
The flaws fixed in this out-of-cycle patch affects Adobe Reader 9.3.3 and earlier versions for Windows, Mac and UNIX; and Adobe Acrobat 9.3.3 and earlier versions for Windows and Mac.
Adobe’s advisory spells out the severity:

These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Today’s patch comes on the heels of Black Hat conference presentation where researcher Charlie Miller provided details of an exploitable vulnerability in Adobe’s PDF Reader software.  Miller’s presentation did not include technical details of the flaw but attendees were able to piece together clues to determine that the flaw could lead to code execution attacks with rigged PDF files.

Adobe confirmed that this update fixes that Black Hat vulnerability.  Google’s Tavis Ormandy is credited with reporting the flaw.  Miller was not credited in Adobe’s advisory.

The update also incorporates patches from the Adobe Flash Player Security Bulletin APSB10-16.

Adobe Issues Acrobat, Reader Security Patches — Krebs on Security
Adobe Systems Inc. today issued software updates to fix at least two security vulnerabilities in its widely-used Acrobat and PDF Reader products. Updates are available for Windows, Mac and UNIX versions of these programs.  ... 

Today’s update is an out-of-cycle release for Adobe, which recently moved to a quarterly patch release schedule. The company said the update addresses a vulnerability that was demonstrated at the Black Hat security conference in Las Vegas last month. The release notes also reference a flaw detailed by researcher Didier Stevens back in March. Adobe said it is not aware of any active attacks that are exploiting either of these bugs.

More information on these patches, such as updating older versions of Acrobat and Reader, is available in the Adobe security advisory.

No comments: