Adobe patches PDF zero-day, other critical bugs
Also switches on automatic updater for Reader and Acrobat beta testers
Computerworld - Adobe late Tuesday patched eight security vulnerabilities, six of them critical, in its popular PDF viewing and editing programs.
Security experts urged consumers and corporate IT administrators to use the time provided by a light month of Microsoft patching to update Adobe Reader and Acrobat, calling the Adobe fixes more important for one of the first times ever.
Tuesday's Adobe update, the company's third since it announced it would patch Reader and Acrobat quarterly, fixed one flaw that hackers had already exploited.
The bug, which was publicly disclosed in mid-December but has been used by attackers since November, had gone unpatched until yesterday. Last month, Adobe said it would not patch the bug until Jan. 12 because an emergency fix would upset the schedule of quarterly security updates. In the interim, hackers continued to launch limited attacks that targeted specific individuals and companies, and conducted large-scale campaigns that touched thousands of users.
Adobe tagged six of the eight vulnerabilities with the phrases "could allow arbitrary code execution" or "could lead to code execution," securityspeak for bugs that could be used to hijack a system. Like Apple, Adobe does not assign ratings to the flaws it fixes.
Three of the critical bugs were in Reader's and Acrobat's parsing and support of U3D (Universal 3D) files, one was in Adobe's download manager -- which is bundled with Reader and Acrobat -- and the fifth was a memory corruption problem. The update also patched less serious flaws that could be used to crash Reader or Acrobat, or could be used by a hacker to change the software's security settings.
The patches brought Adobe Reader and Adobe Acrobat up to Versions 9.3 and 8.2, respectively. Reader refreshes are available for Windows, Mac and Linux; Acrobat updates are available for Windows and Mac only. Patch support for Reader and Acrobat 7 ended a month ago.
Adobe has struggled to keep pace with hackers, who took to PDF vulnerabilities in a big way last year and seem like they will continue the trend in 2010. Last year, Adobe patched four vulnerabilities only after they had already been exploited; 2010 hasn't started out much better, with one PDF zero-day already on the books.
To help consumers stay up to date -- and have a better chance of fending off attacks -- Adobe yesterday launched a beta test of a background update tool. The Adobe Reader/Acrobat Updater was silently installed on users' machines last October but was switched on only for a small number of testers Tuesday. If the beta is successful, Adobe will enable the behind-the-scenes tool for all on April 13, the next scheduled security update for Reader and Acrobat.
Adobe Reader can be downloaded for Windows, Mac and Linux from Adobe's Web site; Acrobat for Windows and Mac can be downloaded using the links included in Tuesday's advisory. Alternately, users can use the programs' built-in update mechanism to grab the new versions.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to firstname.lastname@example.org or subscribe to Gregg's RSS feed .
Web giants attacked
- White House orders security review in wake of WikiLeaks disclosure
- Leaked U.S. document links China to Google attack
- Update: Researchers track cyber-espionage ring to China
- Google, China now playing cat and mouse?
- McAfee: 'Amateur' malware not used in Google attacks
- Military warns of 'increasingly active' cyber-threat from China
- China: Google 'totally wrong' to stop censoring
- Update: Google stops censoring in China
- Google's China ad partners wait in 'incomparable pain'
- Google may soon leave China, reports say
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts