Thursday, April 21, 2011

Security updates available for Adobe Reader and Acrobat

I use Foxit Reader or SumatraPDF in preference to Adobe Reader, but most users have Adobe installed. Update 8:30 PM: added Krebs-on-Security blog reference info at bottom.

Adobe Reader and Acrobat Security Updates

Adobe released important security updates for Adobe Reader X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh OS. The bulletin is posted here.

Affected software:

Adobe Reader X (10.0.1) and earlier versions for Windows
Adobe Reader X (10.0.2) and earlier versions for Macintosh
Adobe Acrobat X (10.0.2) and earlier versions for Windows and Macintosh

NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by CVE-2011-0611.
Adobe-Security Bulletins: APSB11-08 - Security update available for Adobe Reader and Acrobat
Release date: April 21,2011
Adobe Reader, Acrobat Update Nixes Zero Day — Krebs on Security
Adobe shipped updates to its PDF Reader and Acrobat products today to plug a critical security hole that attackers have been exploiting to break into computers. Fixes are available for Mac, Windows and Linux versions of these software titles.

The patch released today addresses two critical flaws. Adobe pushed out a patch for the standalone Flash Player last week, but that same vulnerable component exists in Adobe Reader and Acrobat. Initially, Adobe said it was only aware of attacks on the Flash Player but, in the the latest advisory, it acknowledged the existence of public reports that hackers have been sending out poisoned PDFs that exploit the Flash flaw., for example, reported that it was receiving reports of malicious PDFs attacking the Flash bug as early as Apr. 17.

The Reader/Acrobat patch also addresses another critical bug (a flaw in the CoolType library of Reader & Acrobat) that could allow attackers to install malicious software. Not much information is public about this vulnerability, except that Poland’s CERT is credited with reporting it. Adobe spokesperson Wiebke Lips said the company was not aware of any exploits in the wild targeting this bug.

No comments: