MUST READ: Yahoo lands Tumblr for $1.1 billion: report

Topic: Enterprise Software

Adobe ships another mega-patch for PDF Reader

Summary: The latest mega-patch, available for Windows, Mac and UNIX users, covers a whopping 23 security flaws that could cause software crashes or remote code execution attacks.

Ryan Naraine

By for Zero Day |

Adobe has slapped another band-aid on its heavily targeted PDF Reader/Acrobat product line, warning that hackers are already exploiting some of these vulnerabilities to launch malware attacks.

The latest mega-patch, available for Windows, Mac and UNIX users, covers a whopping 23 security flaws that could cause software crashes or remote code execution attacks.

Affected Software Versions:

  • follow Ryan Naraine on twitterAdobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
  • Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh

The company rates these vulnerabilities as "critical" and urged users to immediately upgrade to Adobe Reader 9.4.

[ New PDF zero-day under attack ]

This patch batch was rushed out in response to zero-day attacks that exploited at least two of the 23 security holes.

The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.

Topic: Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

39 comments
Log in or register to join the discussion

  • Hey look a new Zero-Day attack!

    What?<br>You mean you have to patch again? Why?<br>Oh. I see. You are using Windows. Well, now I understand. <br><br>But if you want my advice, switching to Ubuntu Linux with LSM AppArmor and sandboxed Evince (PDF reader) will keep you safe from any PDF exploit.<br><br>And, LSM AppArmor security doesn't stop there. You can turn on profiles for your Firefox browser, Evolution email, and even Pidgin IM sessions.<br><br>If there isn't a stock AA profile for your special Linux App, creating a profile isn't difficult.<br><br>The point here isn't that Linux can't get infected by Zero-Day exploits--it's that Canonical understands this and is proactively offering standard AA sandbox profiles for its user-base.<br><br>There's no getting around the fact that Apps on any platform when written inevitably have software bugs that result in 'unintended side effects'. That is what the hackers are looking for (fuzzing) and they design buffer overflows to induce privilege escalation on your operating system.<br><br>This is where AA comes alive and steps in. AA polices both your App and the kernel's actions and if their actions are not defined in the App's profile, they simply get refused--stopped cold.<br><br>So, Ubuntu Linux isn't immune to infection, but you can be assured that any App you run with an AA profile will keep any zero-day exploit from escalating and seizing control of your machine. That is the point. And you can be assured that Canonical will provide a timely update to fix known vulnerabilities/exploits in a matter of days, or even the same day reported--not just once a month like the Windows 'first Tuesday' of the month patch cycle.<br><br>That is the way it should be. Get peace of mind with Ubuntu Linux.<br><br>Ubuntu Linux: The safest operating system on the planet.<br><br>I stake my reputation on it.

    More about AppArmor here:
    h-t-t-p-s://help.ubuntu.com/community/AppArmor
    Dietrich T. Schmitz, ~ Your Linux Advocate
    Reply Vote

    • Fascinating

      Even with the overwhelming proof provided by others that what you say is highly innacurate, you still continue to post those same falsehoods on this site, hoping that one day someone might suddenly be fooled.

      Humans can be highly illogical at times.
      :|
      Tim Cook
      Reply Vote

      • RE: Adobe ships another mega-patch for PDF Reader

        @Mister Spock

        Ok Mister Spock Point out what is wrong with what he wrote! Prove him wrong! I use Apparmor! And I read the reports that it puts out! Hmm No He speaks the truth! FF and Crome are LOCKED DOWN! hmm So is Java! And more! Use the program for your self don't believe the drivel!!!

        Randy A. Stiles, Linux Advocate!
        stilesalaska
        Reply Vote

    • RE: Adobe ships another mega-patch for PDF Reader

      @Dietrich T. Schmitz<br><br>Or you can use EMET 2.0 on Windows:<br><br><a href="http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04" target="_blank" rel="nofollow"><a href="http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04" target="_blank" rel="nofollow">http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04</a></a><br><br>Which short circuited the zero day flaw this Adobe patch plugged up:<br><br><a href="http://news.cnet.com/8301-1009_3-20016161-83.html?tag=topTechContentWrap;editorPicks" target="_blank" rel="nofollow"><a href="http://news.cnet.com/8301-1009_3-20016161-83.html?tag=topTechContentWrap;editorPicks" target="_blank" rel="nofollow">http://news.cnet.com/8301-1009_3-20016161-83.html?tag=topTechContentWrap;editorPicks</a></a><br><br>Then you don't have to be a LINUX nerd. <br><br>Seriously mang, I love LINUX. I have Ubuntu 10.04 LTS on a VM and I use LINUX every day on my job as a sys admin <b>but</b> the average lay person just does <b>not</b> care. Simple as that. It's hard enough to get them to use low hanging fruit and you consistently propose the use of an entirely different OS along with talk where you'll lose 98% of your audience immediately.<br><br>EMET 2.0 will cause most people to shrug their shoulders and not bother and it is incredibly effective at arbitrary execution attacks like the zero day exploit that Adobe just patched. And if they won't go for that, do you <b>seriously</b> think someone will bother changing OSes?<br><br>Give it a rest,<br>-M
      betelgeuse68
      Reply Vote

      • Give it a rest? Why?

        @betelgeuse68
        Isn't it serious enough to speak up? Or would you rather live with mediocrity?

        Seriously, EMET is a start, but isn't part of the kernel.
        Nor does it police the kernel's action itself.

        But EMET does show MS is beginning to take responsibility. That is good.

        Prior to EMET, MS offered no mitigation tool and all Admins could do is turn off a feature, wait for a patch and hope it will be delivered 'out of band' or resort to putting a bead of silicon caulk on their cat5 jack and duct tape on the power switch.

        AppArmor is part of the mainline Linux Kernel as of 2.6.35.

        AppArmor has been installed with Ubuntu since version 7.04.

        Thanks but, I'll keep getting out the message even at the risk of repeating myself.
        Dietrich T. Schmitz, ~ Your Linux Advocate
        Reply Vote

    • RE: Adobe ships another mega-patch for PDF Reader

      @Dietrich T. Schmitz, Your Linux Advocate
      So if I understand it correctly, what you say is that if I have apparmor enabled than I dont have to update vulnerable softwares. Once apparmor is enabled I dont have to patch anything ever again. Is that right ? Because thats what I could comprehend from what you have written.
      1773
      Reply Vote

      • Incorrect on your understanding.

        @MSPawar
        Patches from Ubuntu come in due course, automatically, and are available in a matter of days or even the same day a zero-day vulnerability is reported.

        The point: LSM AA stops zero-day vulnerabilities.
        Dietrich T. Schmitz, ~ Your Linux Advocate
        Reply Vote

      • RE: Adobe ships another mega-patch for PDF Reader

        @Dietrich T. Schmitz, Your Linux Advocate
        "What?
        You mean you have to patch again? Why?
        Oh. I see. You are using Windows. Well, now I understand. "
        This is from your comment. Seriously tell me what do those sentences mean ? I can understand you promoting some OS which you think is good, but you need to do it clearly without sending improper messages about other OSs.
        1773
        Reply Vote

      • RE: Adobe ships another mega-patch for PDF Reader

        @Dietrich

        "Patches from Ubuntu come in due course, automatically"

        Isn't that same capability available with Windows?

        Or does Ubuntu update Adobe's software automatically?
        msalzberg
        Reply Vote

    • RE: Adobe ships another mega-patch for PDF Reader

      @Dietrich T. Schmitz, Your Linux Advocate

      Its sad that all you can do with linux is copy and paste. All that supposed man power with thousands of individuals working on it and all you can do is copy & paste. That is my conclusion since all your posts are the exact same. Based on that I can no longer recommend linux to anyone. I'll stick with Microsoft Windows since it allows me to do anything I want to include not just copy & paste, but type up new documents, browse the web, use a wide selection of multimedia, and take full advantage of my hardware.

      Microsoft Windows 7 -- Officially endorsed by Linus Torvalds!
      Loverock Davidson
      Reply Vote

      • Now that's funny LD.

        @Loverock Davidson

        Please. Have more DayQuil. Your humor quotient is rising.
        Dietrich T. Schmitz, ~ Your Linux Advocate
        Reply Vote

      • RE: Adobe ships another mega-patch for PDF Reader

        @Dietrich T. Schmitz

        Thanks, I knew you would admit I'm right. I'll be sure to tell everyone about this in the future. Again, thanks for giving me more credit.
        Loverock Davidson
        Reply Vote

      • He's like a child who has learned a new word.

        @Loverock Davidson: Continually repeating it over and over again. Meanwhile the adults just nod and think "How cute".
        ye
        Reply Vote

      • RE: Adobe ships another mega-patch for PDF Reader

        @Loverock Davidson
        When have you ever recommended Linux to someone?
        Zc456
        Reply Vote

      • RE: Adobe ships another mega-patch for PDF Reader

        @Loverock Davidson
        Pot kettle black - and you've been doing it for years and years and never grown up
        deaf_e_kate
        Reply Vote

    • Hey look, another fallacy from Dietrich.

      @Dietrich T. Schmitz, Your Linux Advocate
      ryanstrassburg
      Reply Vote

    • RE: Adobe ships another mega-patch for PDF Reader

      @Dietrich T. Schmitz, Your Linux Advocate <br><br>It's nice to be passionate about something.<br><br>But can I run Vectorworks, OmniGraffle, QLab or Filemaker under Linux? How about Yamaha's DME Designer software, or ProTools or Logic?<br><br>I don't think I'm all that different from most people: I run applications, not OSs. The apps I use run under either OS X, Windows, or both. Until such time as the apps I need run natively under Linux, I will not be running Linux.
      msalzberg
      Reply Vote

      • RE: Adobe ships another mega-patch for PDF Reader

        @msalzberg : I was going to add a couple more apps and some hardware, but decided you'd pretty well covered it off.

        +1
        twaynesdomain-22354355019875063839220739305988
        Reply Vote

      • separate the uses

        @msalzberg
        I just want to point out, in case you don't know, that there are many excellent alternatives to audio editing in Linux. There are even some distributions that pack all of them. For my understanding they are a bit scattered, in the sense that there is not a single one that does everything, but each one does its specific job very well.

        Audio applications are anyway not connected to the internet, so compromising your security for productivity is a valid point, and you'll probably not suffer from it. But I think the main point from Dietrich is that if you wanna use the internet, you need something better than Windows.

        I personally use Linux for everything I can, and I have a Win machine for those special software packages like you point out. I really start shaking if I think of doing on-line banking with my Windows machine.
        patibulo
        Reply Vote

        • Thank you.

          @patibulo

          We have a winner.
          Seriously, I think there are many readers who do 'get it' at this point.

          I too run Windows XP but run it from a VirtualBox VM set to 'immutable'. While it's difficult to stop incursions, immutable always starts every XP session in its pristine 'clean' state, something users should consider as an option in addition to the newest EMET Microsoft offering.

          EMET:
          http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04&pf=true

          VirtualBox Immutable:
          http://www.virtualbox.org/manual/ch05.html#hdimagewrites

          Be safe.
          Dietrich T. Schmitz, ~ Your Linux Advocate
          Reply Vote
CNET Join | Log In | Privacy | Cookies Close