Adobe patches PDF zero-day, other critical bugs
Also switches on automatic updater for Reader and Acrobat beta testers
Computerworld - Adobe late Tuesday patched eight security vulnerabilities, six of them critical, in its popular PDF viewing and editing programs.
Security experts urged consumers and corporate IT administrators to use the time provided by a light month of Microsoft patching to update Adobe Reader and Acrobat, calling the Adobe fixes more important for one of the first times ever.
Tuesday's Adobe update, the company's third since it announced it would patch Reader and Acrobat quarterly, fixed one flaw that hackers had already exploited.
The bug, which was publicly disclosed in mid-December but has been used by attackers since November, had gone unpatched until yesterday. Last month, Adobe said it would not patch the bug until Jan. 12 because an emergency fix would upset the schedule of quarterly security updates. In the interim, hackers continued to launch limited attacks that targeted specific individuals and companies, and conducted large-scale campaigns that touched thousands of users.
Adobe tagged six of the eight vulnerabilities with the phrases "could allow arbitrary code execution" or "could lead to code execution," securityspeak for bugs that could be used to hijack a system. Like Apple, Adobe does not assign ratings to the flaws it fixes.
Three of the critical bugs were in Reader's and Acrobat's parsing and support of U3D (Universal 3D) files, one was in Adobe's download manager -- which is bundled with Reader and Acrobat -- and the fifth was a memory corruption problem. The update also patched less serious flaws that could be used to crash Reader or Acrobat, or could be used by a hacker to change the software's security settings.
The patches brought Adobe Reader and Adobe Acrobat up to Versions 9.3 and 8.2, respectively. Reader refreshes are available for Windows, Mac and Linux; Acrobat updates are available for Windows and Mac only. Patch support for Reader and Acrobat 7 ended a month ago.
Adobe has struggled to keep pace with hackers, who took to PDF vulnerabilities in a big way last year and seem like they will continue the trend in 2010. Last year, Adobe patched four vulnerabilities only after they had already been exploited; 2010 hasn't started out much better, with one PDF zero-day already on the books.
To help consumers stay up to date -- and have a better chance of fending off attacks -- Adobe yesterday launched a beta test of a background update tool. The Adobe Reader/Acrobat Updater was silently installed on users' machines last October but was switched on only for a small number of testers Tuesday. If the beta is successful, Adobe will enable the behind-the-scenes tool for all on April 13, the next scheduled security update for Reader and Acrobat.
Adobe Reader can be downloaded for Windows, Mac and Linux from Adobe's Web site; Acrobat for Windows and Mac can be downloaded using the links included in Tuesday's advisory. Alternately, users can use the programs' built-in update mechanism to grab the new versions.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to email@example.com or subscribe to Gregg's RSS feed .
Web giants attacked
- White House orders security review in wake of WikiLeaks disclosure
- Leaked U.S. document links China to Google attack
- Update: Researchers track cyber-espionage ring to China
- Google, China now playing cat and mouse?
- McAfee: 'Amateur' malware not used in Google attacks
- Military warns of 'increasingly active' cyber-threat from China
- China: Google 'totally wrong' to stop censoring
- Update: Google stops censoring in China
- Google's China ad partners wait in 'incomparable pain'
- Google may soon leave China, reports say
Read more about Security in Computerworld's Security Topic Center.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!