Adobe patches PDF zero-day, other critical bugs

Computerworld - Adobe late Tuesday patched eight security vulnerabilities, six of them critical, in its popular PDF viewing and editing programs.

Security experts urged consumers and corporate IT administrators to use the time provided by a light month of Microsoft patching to update Adobe Reader and Acrobat, calling the Adobe fixes more important for one of the first times ever.

Tuesday's Adobe update, the company's third since it announced it would patch Reader and Acrobat quarterly, fixed one flaw that hackers had already exploited.

The bug, which was publicly disclosed in mid-December but has been used by attackers since November, had gone unpatched until yesterday. Last month, Adobe said it would not patch the bug until Jan. 12 because an emergency fix would upset the schedule of quarterly security updates. In the interim, hackers continued to launch limited attacks that targeted specific individuals and companies, and conducted large-scale campaigns that touched thousands of users.

Adobe tagged six of the eight vulnerabilities with the phrases "could allow arbitrary code execution" or "could lead to code execution," securityspeak for bugs that could be used to hijack a system. Like Apple, Adobe does not assign ratings to the flaws it fixes.

Three of the critical bugs were in Reader's and Acrobat's parsing and support of U3D (Universal 3D) files, one was in Adobe's download manager -- which is bundled with Reader and Acrobat -- and the fifth was a memory corruption problem. The update also patched less serious flaws that could be used to crash Reader or Acrobat, or could be used by a hacker to change the software's security settings.

The patches brought Adobe Reader and Adobe Acrobat up to Versions 9.3 and 8.2, respectively. Reader refreshes are available for Windows, Mac and Linux; Acrobat updates are available for Windows and Mac only. Patch support for Reader and Acrobat 7 ended a month ago.

Adobe has struggled to keep pace with hackers, who took to PDF vulnerabilities in a big way last year and seem like they will continue the trend in 2010. Last year, Adobe patched four vulnerabilities only after they had already been exploited; 2010 hasn't started out much better, with one PDF zero-day already on the books.

To help consumers stay up to date -- and have a better chance of fending off attacks -- Adobe yesterday launched a beta test of a background update tool. The Adobe Reader/Acrobat Updater was silently installed on users' machines last October but was switched on only for a small number of testers Tuesday. If the beta is successful, Adobe will enable the behind-the-scenes tool for all on April 13, the next scheduled security update for Reader and Acrobat.

Adobe Reader can be downloaded for Windows, Mac and Linux from Adobe's Web site; Acrobat for Windows and Mac can be downloaded using the links included in Tuesday's advisory. Alternately, users can use the programs' built-in update mechanism to grab the new versions.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to gkeizer@ix.netcom.com or subscribe to Gregg's RSS feed .

Read more about Security in Computerworld's Security Topic Center.