Adobe patches PDF zero-day, other critical bugs
Also switches on automatic updater for Reader and Acrobat beta testers
Computerworld - Adobe late Tuesday patched eight security vulnerabilities, six of them critical, in its popular PDF viewing and editing programs.
Security experts urged consumers and corporate IT administrators to use the time provided by a light month of Microsoft patching to update Adobe Reader and Acrobat, calling the Adobe fixes more important for one of the first times ever.
Tuesday's Adobe update, the company's third since it announced it would patch Reader and Acrobat quarterly, fixed one flaw that hackers had already exploited.
The bug, which was publicly disclosed in mid-December but has been used by attackers since November, had gone unpatched until yesterday. Last month, Adobe said it would not patch the bug until Jan. 12 because an emergency fix would upset the schedule of quarterly security updates. In the interim, hackers continued to launch limited attacks that targeted specific individuals and companies, and conducted large-scale campaigns that touched thousands of users.
Adobe tagged six of the eight vulnerabilities with the phrases "could allow arbitrary code execution" or "could lead to code execution," securityspeak for bugs that could be used to hijack a system. Like Apple, Adobe does not assign ratings to the flaws it fixes.
Three of the critical bugs were in Reader's and Acrobat's parsing and support of U3D (Universal 3D) files, one was in Adobe's download manager -- which is bundled with Reader and Acrobat -- and the fifth was a memory corruption problem. The update also patched less serious flaws that could be used to crash Reader or Acrobat, or could be used by a hacker to change the software's security settings.
The patches brought Adobe Reader and Adobe Acrobat up to Versions 9.3 and 8.2, respectively. Reader refreshes are available for Windows, Mac and Linux; Acrobat updates are available for Windows and Mac only. Patch support for Reader and Acrobat 7 ended a month ago.
Adobe has struggled to keep pace with hackers, who took to PDF vulnerabilities in a big way last year and seem like they will continue the trend in 2010. Last year, Adobe patched four vulnerabilities only after they had already been exploited; 2010 hasn't started out much better, with one PDF zero-day already on the books.
To help consumers stay up to date -- and have a better chance of fending off attacks -- Adobe yesterday launched a beta test of a background update tool. The Adobe Reader/Acrobat Updater was silently installed on users' machines last October but was switched on only for a small number of testers Tuesday. If the beta is successful, Adobe will enable the behind-the-scenes tool for all on April 13, the next scheduled security update for Reader and Acrobat.
Adobe Reader can be downloaded for Windows, Mac and Linux from Adobe's Web site; Acrobat for Windows and Mac can be downloaded using the links included in Tuesday's advisory. Alternately, users can use the programs' built-in update mechanism to grab the new versions.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at
@gkeizer, send e-mail to gkeizer@ix.netcom.com or subscribe to Gregg's RSS feed
.
Web giants attacked
- White House orders security review in wake of WikiLeaks disclosure
- Leaked U.S. document links China to Google attack
- Update: Researchers track cyber-espionage ring to China
- Google, China now playing cat and mouse?
- McAfee: 'Amateur' malware not used in Google attacks
- Military warns of 'increasingly active' cyber-threat from China
- China: Google 'totally wrong' to stop censoring
- Update: Google stops censoring in China
- Google's China ad partners wait in 'incomparable pain'
- Google may soon leave China, reports say
Read more about Security in Computerworld's Security Topic Center.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Google: Security for Google Apps Messaging & Collaboration
- Content provided by Google
Find out about how Google creates a security-based platform for Google Apps, covering topics like information security, physical security, and... - An Interactive Guide: Bring Your Own Device
- BYOD presents significant security and management challenges to IT departments who want to take advantage of the trend, but still protect corporate assets....
- Fundamental Principles of Network Security
- This paper covers the fundamentals of secure networking systems, including firewalls, network topology and secure protocols. Best practices are also given that introduce...
- Protection Against Modern Cybersecurity Threats
- Download this case study to learn how this accounting and consulting giant uses Bit9's adaptive application whitelisting to offer employees flexibility without jeopardizing...
- A Proactive Approach to Server Security
- Learn why security-conscious organizations are taking a more proactive approach to server security. Download this Spire Research whitepaper to understand how you can... All Security White Papers
- Live Webcast
Playing Defense: Staying on Top of Your Disaster Recovery Game - When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
- Introduction to VMware vCenter Site Recovery Manager 5
- Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to...
- The Top Ten Secrets to Avoiding SAN Performance Problems
- Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new...
- Deduplication Without Compromise
- Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
- Director of Disk Products Discusses DXi6700
- Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
- Playing Defense: Staying on Top of Your Disaster Recovery Game
- When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts
