Security updates released for Adobe Acrobat & Reader
On Thursday, August 19, 2010, Adobe released critical "out of cycle" security updates, 9.3.4 and 8.2.4, for its commercial Acrobat PDF encoder and free Adobe PDF Reader programs. Today's updates fix at least two critical vulnerabilities that are being exploited in the wild. Exploitation of these vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Updates are available for Windows, Mac and UNIX versions of these Adobe programs. Windows users may receive automatic updates notices, or may be auto-updated, depending on how you have set your updater preferences (Edit > Preferences > Updater). You can also check manually, buy going to the Help menu item, then down to "Check for updates." An updater window will open separately, download the new version upon receiving your permission. It will close Reader or Acrobat, then install then new version. If you were working on any PDF documents, save them and exit the application during the update phase. It may take some time to complete (I don't know why, it just does!).
The official Common Vulnerabilities and Exposures code for today's update is: CVE-2010-2862, which was discussed and demonstrated at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. The actual vulnerability is described as: "Integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3, allows remote attackers to execute arbitrary code via a TrueType font with a large maxCompositePoints value in a Maximum Profile (maxp) table."
Further details are: "Network exploitable; Victim must voluntarily interact with attack mechanism" - which they are tricked into doing.
Vulnerability details were provided and/or discovered by: Charlie Miller, Independent Security Evaluators, and Tavis Ormandy, Google Security Team.
All of this follows on the heels of another out-of-cycle critical update in Adobe's Flash Player, on August 11. It appears that Adobe Acrobat and Reader bundle a version of Flash inside the program, and that version was exploitable, via authplay.dll. The new updates to Reader and Acrobat supply the latest, patched version of Flash, bundled inside those programs.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.