Adobe plugs PDF zero-day flaw in latest security makeover

Adobe plugs PDF zero-day flaw in latest security makeover

Summary: Adobe has released a mega-update for its Reader and Acrobat software products to fix a total of eight documented security vulnerabilities.

SHARE:

Adobe has released a mega-update for its Reader and Acrobat software products to fix a total of eight documented security vulnerabilities.

The update comes with significant security improvements, including the on-by-default addition "Enhanced Security," a feature that provides a set of default restrictions and a method to define trusted locations that should not be subject to those restrictions. First up, here are the security vulnerabilities patched with this update:

  • This update resolves a use-after-free vulnerability in Multimedia.api that could lead to code execution (CVE-2009-4324). This issue is being actively exploited in the wild; the exploit targets Adobe Reader and Acrobat 9.2 on Windows platforms.
  • This update resolves an array boundary issue in U3D support that could lead to code execution (CVE-2009-3953).
  • This update resolves a DLL-loading vulnerability in 3D that could allow arbitrary code execution (CVE-2009-3954).
  • This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2009-3955).
  • This update mitigates a script injection vulnerability by changing the Enhanced Security default (CVE-2009-3956).
  • This update resolves a null-pointer dereference vulnerability that could lead to denial of service (CVE-2009-3957).
  • This update resolves a buffer overflow vulnerability in the Download Manager that could lead to code execution (CVE-2009-3958).
  • This update resolves an integer overflow vulnerability in U3D support that could lead to code execution (CVE-2009-3959).

Adobe rates this a "critical" update on all platforms.  The flaws affect Adobe Reader 9.2 and Acrobat 9.2 for Windows, Macintosh and UNIX; and Adobe Reader 8.1.7 and Acrobat 8.1.7 for Windows and Macintosh.

These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

[ SEE: Adobe confirms PDF zero-day attacks. Disable JavaScript now ]

According to this document released alongside the patches, Adobe has turned on the Enhanced Security feature by default.

Enhanced security provides two tools designed to help you protect your environment: a set of default restrictions and a method to define trusted locations that should not be subject to those restrictions. In other words, you can either block dangerous actions altogether or else selectively permit them for locations and files you trust.

It also includes privileged location improvements, cross domain support, warning message and dialog improvements and the disabling of legacy multimedia support by default.

Adobe is also beta testing a new automatic updater for Reader and Acrobat.  By default, the updater will silently patch installations without user interaction.

Topics: Security, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

37 comments
Log in or register to join the discussion
  • Keeping Reader-Java turned off

    I'm keeping Adobe Reader's Java option turned off, because it apparently isn't needed for the type of *.pdf documents that I read.
    Tom12Tom
    • Don't you mean..

      ..uninstalling Adobe Reader? You do get that only
      [i]some[/i] of these attacks rely on Adobe's
      javascript engine, right?
      AzuMao
      • You do get...

        "You do get that only some of these attacks rely on Adobe's javascript engine, right?"

        Yes, I do.

        Every popular program and operating system gets attacked, and patched, and attacked, and patched. That's just the norm.
        Tom12Tom
        • No, it's not.

          The problem isn't them being attacked, it's them
          being made broken. For example, if they made
          Reader so that it didn't do things like execute arbitrary fucking code for no reason, it would
          be safe to use it. But noooo... that's just
          asking tooooo much.


          Notepad falls under your list of "popular
          programs", surely? Yet it doesn't run random
          code in the file. Nope. Sadly, most programmers
          nowadays are in too much of a hurry to make
          anything more complicated than Notepad without
          fucking up big time. But that's not an axiom, it
          isn't a fundamental intrinsic problem with
          programs/OSs/computers in general. It's just a
          problem with shitty companies writing shitty
          code.
          AzuMao
  • RE: Adobe plugs PDF zero-day flaw in latest security makeover

    It would be nice if Adobe would update the packages available for corporate deployments when they provide patches like this. First you install a 25 MB package, then run the updater and download another 3-4 packages totaling 90+ MB by the time you are done.

    As for their automatic updater, in a managed environment, do we really want every system going to the Internet and downloading a package?

    And why does the reader need to be bloated to 35 MB anyways?
    pibkac
    • I think you missed something in the story...

      There is a link to the Adobe site and from there it plainly links to the MSP file (AcrobatUpd930_all_incr.msp) for Acrobat Std/Pro. If you need 9.3 reader, simply download the new version of the software as there is no update. If the size is a problem, there are lots of other PDF viewers out there that are much smaller (with fewer features and fewer security issues).
      riveroad
    • Because..

      ..Adobe is beyond hiring programmers to make their
      programs.

      Instead, they simply roll their heads back and
      forth on the keyboard until, by some miracle,
      working code is generated. This usually results in
      dozens of millions of extra bytes of code.
      AzuMao
      • Good one

        You just about made coffee come out of my nose
        Muttz
        • Agreed 100%

          nt

          lehnerus2000
          lehnerus2000
          • That comment was great...

            Adobe programmers rolling their heads on the keyboard, and Adobe users banging their heads on their keyboards.
            We spent this morning re-installing 9.2 on a terminal server used by 100+ users because yesterday Adobe got corrupted. Auto updates were disabled, so we are looking into if it tried updating via some other means...
            staggerleee
  • Best solution, remove Adobe from your PC.

    Sorry but it offers nothing worth the headaches.
    No_Ax_to_Grind
    • We agree on something, awesome!

      [b] [/b]
      AzuMao
      • I too, agree

        and am using Foxit for a long time. Suits my needs perfectly.
        Considering to check out Sumatra...
        Zodarr
    • I heartily concur

      Adobe makes MS look like the most secure software in the world. not to mention that Adobe is the bloatware king hands down.
      Rodo1
      • And just to backup my contention...

        I just got the "update." It was 60.3 MB and was a full new version, not what I'd consider an update. Sure glad I got rid of dialup!
        Rodo1
    • Sadly...

      For filling out some government forms published as forms in PDF format, I need to use Adobe.

      I tried using FoxIt and while that worked great for reading, when I filled out a form and saved it, they watermarked the form, basically it said that to get unwatermarked forms, buy the pro package. <sigh>

      What I really wish Adobe would put more effort into is their flash player. That things sucks bigtime and yet 90% of the webpages I go to all "require" flash.
      PollyProteus
      • Adobe Free Reader won't save fill-in forms either

        Sadly, free Adobe Reader (AR) doesn't let you save fill-in forms as well. When I came across that problem a few years ago (earlier AR versions), I looked for alternatives. The full Adobe product was about $500 while many alternatives were $100 or more. I only needed to save a few PDF forms, so I kept looking for a cheaper alternative. I finally found PDFill, http://www.pdfill.com/ . It did what I needed and has some nice free PDF tools in addition.
        mystic100
    • Think of the makers of pain killers

      If we took your advice the makers of Tylenol and Advil would lose business...

      Seriously I agree, I recommended my users migrate to Foxit or Sumatra. Today's adobe update is just a headache away tomorrow's exploit...almost literally.
      eric.jernigan
      • You forgot..

        ..Prozac!
        AzuMao
  • Ah, still using this non-term.

    Year after year, never telling us WTF they think they mean by "zero day."
    dgurney