Adobe plugs 6 critical holes in Reader
Computerworld - Adobe on Tuesday patched six vulnerabilities in the newest version of its popular Reader PDF viewer, making good on a late-2011 promise when it shipped an emergency update for an older edition.
That update addressed bugs that attackers had exploited with rigged PDF documents emailed to a large number of companies, including major U.S. defense contractors last December, probably as part of an effort to steal confidential information. Researchers found clues in the attack tactics and exploit code that pointed to Chinese hacker involvement.
While Adobe patched Reader 9 on Windows almost a month ago, it deferred updates for Reader 10 on all platforms, and for Reader 9 on Mac and Linux. The exploits would fail if aimed at Reader 10 because of that version's protective "sandbox" technology, Adobe said, and Mac and Linux users were in little danger because attackers were focused on Windows PCs.
Tuesday's update patched not only the two known bugs but also four others. Adobe rated all six as critical, saying in an accompanying advisory that they could give hackers the openings necessary to hijack a computer or infect it with malware.
The four previously-undisclosed bugs were reported by researchers from Google's security team, the Danish vulnerability tracking firm Secunia and HP TippingPoint's bug bounty program.
The most up-to-date edition for Linux, version 9.4.7, includes patches for just the two vulnerabilities disclosed last month.
Those already-being-exploited vulnerabilities had been reported to Adobe by Lockheed Martin, one of the U.S's largest aerospace and defense contractors, and the Defense Security Information Exchange (DSIE), a group of defense contractors that share cyber-attack intelligence.
Security experts applauded the additional flexibility Tuesday.
The updated editions of Reader for Windows and Mac OS X can be downloaded from Adobe's support website. Current users can run the programs' integrated update tool or wait for the software to prompt them that a new version is available.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- Firewall Buyers Guide Operate as the core of your network security infrastructure
- Getting Started With a Zero Trust Approach to Network Security The Traditional Approach to Network Security is Failing. View Now>>
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts