Adobe plugs more gaping holes in PDF Reader

Adobe plugs more gaping holes in PDF Reader

Summary: The vulnerabilities are rated "critical" and affect Adobe Reader and Adobe Acrobat on all platforms -- Windows, Mac and Linux.

SHARE:

Adobe today released an out-of-band security update to patch a pair of gaping holes that expose hundreds of millions of computer users to remote code execution attacks.

The vulnerabilities are rated "critical" and affect Adobe Reader and Adobe Acrobat on all platforms -- Windows, Mac and Linux.

This PDF Reader/Acrobat update falls outside of the company's scheduled quarterly patch cycle.  It is not yet clear why Adobe opted for an out-of-band patch but the presence of Microsoft's security research team as a flaw-finder on this bulletin suggests Redmond may have pressured Adobe to rush out a fix.

Adobe insists there are no active attacks or exploit code publicly available.

There is also a clear connection to a patch released last week for Adobe Flash Player.   That Flash patch covered a hole (CVE-2010-0186) that could subvert the domain sandbox and make unauthorized cross-domain requests.

In today's Reader/Acrobat bulletin, the same vulnerability is referenced as affecting Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh.

Adobe also credited Microsoft's researcher with discovering a a critical vulnerability (CVE-2010-0188)  that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

From the advisory:

Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1. (For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3.1, Adobe has provided the Adobe Reader 8.2.1 update.) Adobe recommends users of Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.1. Adobe recommends users of Acrobat 8.2 and earlier versions for Windows and Macintosh update to Acrobat 8.2.1.

Adobe is shipping these patches via the product's automatic update facility. The default installation configuration runs automatic updates on a regular schedule, and can be manually activated by choosing Help > Check For Updates Now.

UPDATE:  Adobe spokeswoman Wiebke Lips answers some of the lingering questions:

Why go out-of-band with this update?  Are there attacks or exploit code in the wild?

The Flash Player vulnerability we fixed on February 11 also affects Adobe Reader and Acrobat. Rather than waiting for the next quarterly update for Adobe Reader and Acrobat, which is scheduled for April, Adobe decided to make this fix available as an out-of-cycle update. Adobe is not aware of any exploits in the wild for any of the issues patched in this release.

It looks like the Adobe Flash Player flaw from last week now affects Reader/Acrobat.  Are you planning on updating the Flash bulletin with this information?

We actually already disclosed this information on February 11 by issuing a separate advisory for Adobe Reader and Acrobat, which discussed the Flash Player vulnerability.

Is there a link between Microsoft finding/reporting the code execution bug and the out-of-band release?

No—other than the fact that this particular vulnerability is also fixed in this update. We decided to go out-of-cycle because of the Flash Player vulnerability we fixed on February 11 and which also affects Adobe Reader and Acrobat. Rather than waiting for the next quarterly update for Adobe Reader and Acrobat, which is scheduled for April, Adobe made the decision to make this fix available as an out-of-cycle update.

Topics: Software, Apple, Enterprise Software, Hardware, Operating Systems, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

45 comments
Log in or register to join the discussion
  • Folks running Ubuntu 9.10 are protected

    Your AppArmor Linux Security Module has an Evince (pdf reader) profile running at all times.

    So, open pdfs with Evince.

    Windows Folks, see if Microsoft will sandbox Adobe Reader.

    (Don't hold your breath)
    D.T.Schmitz
    • How much do sandboxes really make up for shit like this sucking so bad?

      Unless I'm mistaken, no OS implements a system
      where the open file dialogue is separated from the
      program, and the program is only allowed to access
      files the user has selected in it. So won't
      Adobe's crappy Reader be able to read any file the
      user running it can?

      Please correct me if I'm wrong.
      AzuMao
    • Why are your linux servers so insecure?

      I have to ask because you want to sandbox everything meaning the underlying OS of linux must be pretty insecure for you to go out of your way like that. I'll stick with Microsoft Windows, it offers fine grain control of security that can't be found in linux.
      Loverock Davidson
      • Wtf?

        Servers don't even have Adobe Reader installed, learn how to
        troll properly or don't bother trying.
        AzuMao
      • How ridiculous!!!

        Do you actually [i]read[/i] what you write?

        "I have to ask because you want to sandbox everything meaning the
        underlying OS of linux must be pretty insecure for you to go out of your
        way like that." No; it's just sound system administration. You see, a
        professional sys admin, including Windows admins, will take [i]every
        sensible precaution available[/i] to them to ensure that their system is
        secure. Besides, this has nothing to do with server OS's. To bring them
        up merely shows you up to be a know-nothing troll.
        webmaster@...
      • Why ask such a question?: Ignorance.

        fyi,

        http://dev.chromium.org/developers/design-documents/sandbox#TOC-Other-caveats

        Google is honest to say that there sandbox is only as good as the underlying O/S security model. They mean Wiindows 7.

        Read the caveats in the above link.

        Ubuntu's Linux Security Module (LSM) AppArmor runs outside of the kernel to cross-check not just the App (e.g., browser) but also the O/S.

        Therein lies the BIG difference between LSMs and Windows 7.

        Linux is safest.
        D.T.Schmitz
        • I want to know

          Why does linux require so much extra effort to keep it secure? That is a Google based link thus I will not go to it. You really shouldn't use Google as a reference when it comes to security since they know nothing about it. Now back to the subject at hand, why does every linux application need to be sandboxed? Because linux is that insecure! I will not be using linux any time soon for that reason. Its already difficult to explain linux to people but to tell them they have to sandbox every application, and configure that apparmor, well that just puts them over the top and will make them run far far away from it.
          Loverock Davidson
          • Why do you eat dog crap?

            Loaded question. Google it.
            AzuMao
          • well done!

            Next time see if you can say nothing in TWO paragraphs.

            We're rooting for ya, so you hang in there and keep 'em coming. Remember, once you've mastered multi-paragraph "vacuous" we can start working on "mental black hole" lessons. That'll really get some goats around here!

            Meantime I remind you do be careful; there's a fine line between merely hollow and actual lies. Best to minimize relevant content as much as possible to avoid the inadvertent "dead wrong" statement.
            pgit
          • (my above addr. to LD, FYI) (nt)

            `
            pgit
      • becuase linux is a tinker toy set

        linux is obviously a useful language for people living on the back end. almost as useful as solaris. or unix. o wait: aren't all the -ix speaks flavours of 40 year old tech that never found consumer acceptance, but make toys at the level of virtual erector sets.
        people involved in actual communities tend to think more about delivering content and meaning than about their own cleverness in finding new ways to make an envelope.
        gabrielbear@...
        • You made some typos.

          It is Windows that is only good for playing games.


          Linux is the one not based on stone-age concepts.
          AzuMao
    • Ubuntu 9.10 is a joke

      Linux however, is nice.

      I should rephrase that, users of Ubuntu are a joke....

      Ubuntu is somewhat decent.

      Who needs sandboxing if you don't operate as super-user (root)?

      Now which complete moron / idiot would operate as root under Unix/Linux/Windows?

      Linux for humans uh? What kind of humans? Hmmm.

      Google: http://www.google.com/search?q=principle+of+least+privilege
      Results 1 - 10 of about 344,000 for principle of least privilege. (0.24 seconds)

      http://en.wikipedia.org/wiki/Principle_of_least_privilege
      In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.[1][2]

      When applied to users, the terms least user access or least-privileged user account (LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch applications with as few privileges as possible.

      Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts

      http://blogs.zdnet.com/security/?p=2517

      I reiterate, who the heck needs sandboxing? More than DEP and ASLR? Which Linux doesn't implement fully???

      DEP: http://en.wikipedia.org/wiki/Data_Execution_Prevention

      ASLR: http://en.wikipedia.org/wiki/Address_space_layout_randomization

      Heh, just for fun, google "most vulnerable" and see what comes back... Go ahead, I know you want to... (That affects YOU FOSS).

      Google: http://www.google.com/search?q=most+vulnerable
      Results 1 - 10 of about 12,400,000 for most vulnerable. (0.16 seconds)

      ~~~~~~~~~~
      The more you learn, the more you realize you didn't know. That's the downside of continuing your education. The benefits come next.
      WinTard
      • Huh?

        I thought the default setting for Ubuntu was not
        to even [i]have[/i] a root account at all?

        I thought Linux supported DEP for years now?

        And can't ASLR be done by the program without
        any help from the OS by making a little stub at
        the start to randomly relocate the program and
        link it at runtime?

        And what about intentional problems in the
        program, which a perfect implementation of DEP
        and ASLR will do nothing against? Isn't it still
        bad for a malicious program to do anything the
        user can? That, I think, is the point of
        sandboxing. But I'm sure it really works.
        Neither "IE Protected Mode" nor "AppArmor".
        AzuMao
      • 'Tard...

        You do realise that it was Adobe with a security flaw in Flash that
        rendered DEP and ASLR totally pointless. It also illustrated that DEP and
        ASLR are potentially useless where JIT runtimes are used; such as
        JavaScrip, Java and even .Net!!! Is all well and good linking to subjects
        on Wikipedia, knowing what the information means is what actually
        matters. You don't.
        webmaster@...
    • mostly true...

      Oh wait.. I am also protected on my windows machines... I dont run Adobe Acrobat reader... and my pdf reader software has JavaScript turned off...
      Ceridan
  • RE: Adobe plugs more gaping holes in PDF Reader

    Hey Adobe:

    [b]Your products suck![/b]

    Why don't you fix Acrobat versions prior to 8? Do you not realize how many OEM copies that were sold with a PC?

    You are responsible for infecting millions of PC's!

    Acrobat and Flash Suck!

    Elsewhere on ZDNET....
    Report: Malicious PDF files comprised 80 percent of all exploits for 2009

    Need I say more....
    TheTruthGiver
    • They don't care.

      The vast majority are dependent on them, or at
      least think they are, so any money spent making
      less shitty products comes out of their bottom
      line. Which is all that matters to commercial
      companies. That's the difference between FOSS and
      proprietary.
      AzuMao
    • Over Priced buggy stuff - No long term suppport

      I have to agree with ThetruthGiver !


      "Why don't you fix Acrobat versions prior to 8? Do you not realize how many OEM copies that were sold with a PC?"

      We have over 100+ users on Acrobat (Full product) 7.1.4 and it's no more than 4 years old. It's required for our DMS system, so we have to have True Adobe Acrobat, not a knock off version. It's not that we run OLD OLD stuff that's past it's prime here. But at over $240.00 a seat (very over priced) we are not about to update every 2 years, for a product that has changed very little in the last 2 versions ! The fact that they will not provide critical security updates is almost criminal, they need to be called out on this and unfortunately I don't see anyone doing it. It's not like this is 10 year old software !

      I have to agree their support policy SUCKS !, but they have always been a very arrogant company, so this not out of the ordinary for them.
      bobt_smf
      • "True"? "Knock off"???

        Is there some product that pretends to be from Adobe but isn't really?

        Why would anyone do such a thing? It would be like making a chocolate cake and selling it as "100% real dog sh[i][/i]it" or making lemonade and selling it as "cat pi[i][/i]ss".
        I don't understand.




        edit: wait I think I get it now.. copy protection? Since nobody would want to pirate a piece of useless sh[b][/b]it?
        AzuMao