Adobe ships critical PDF Reader, Acrobat patch

Adobe ships critical PDF Reader, Acrobat patch

Summary: Adobe has shipped a critical update to patch a code execution vulnerability affecting multiple versions of its Reader and Acrobat products.According to Adobe's advisory, the flaw "could potentially allow an attacker to take control of the affected system.

SHARE:

Adobe ships critical PDF Reader, Acobat patch Adobe has shipped a critical update to patch a code execution vulnerability affecting multiple versions of its Reader and Acrobat products.

According to Adobe's advisory, the flaw "could potentially allow an attacker to take control of the affected system."

If you have Adobe Reader or Acrobat installed on your machine, this update should be treated with the highest possible priority because the vulnerability is being exploited in the wild.

The patch is available for all platforms.  The affected products are:

  • Adobe Reader 8.0 through 8.1.2
  • Adobe Reader 7.0.9 and earlier
  • Adobe Acrobat Professional, 3D and Standard 8.0 through 8.1.2
  • Adobe Acrobat Professional, 3D and Standard 7.0.9 and earlier

Adobe Reader 7.1.0 and Acrobat 7.1.0 are not vulnerable to this issue.

From a separate SecurityFocus bulletin:

Adobe Acrobat and Reader are prone to a remote code-execution vulnerability because the application fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users.

 * Image source: existentist's Flickr photostream (Creative Commons 2.0)

Topics: Enterprise Software, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • Two words:

    Foxit. Reader.

    Like MacOS, you have the added "security" layer of being a minority target. Until Foxit reaches Acrobat's market share, no one will bother much writing exploits, or even looking for holes. (Yes, also like MacOS, you may not get targeted, but you've got the same essentially limitless number of open vulnerabilities at any given time as the market leader.)

    Foxit has the ADDED bonus of being a much better written piece of software compared to Acrobat Reader.

    Or, choose your favorite other alternative.
    KTLA
    • The Adobe monoculture

      Yes, I'm with you. In my circle of family/friends where I'm the IT guy, I uninstall Adobe Reader/Acrobat and set Foxit as the default program for .pdf files.

      I think we should all start looking for diversity when products represent a monoculture.

      _ryan
      Ryan Naraine
      • A backup by any other name...

        Ryan,

        Agreed, but I don't take that to mean every Windows system should have a corresponding Linux system next to it. Good, reliable backups (including a redundant system, if resources allow) are irreplaceable. Sure, having Foxit instead of Adobe installed may keep you secure this time, but chances are, in the long term, no matter what you use it will be exploited at some point. That is when backup are worth their weight in gold.
        Real World
  • Gee, another Acrobat patch

    Adobe needs to create a "Patch of the Week" web site what with the endless security patches for Flash and Acrobat. There should be a warning on their products: "This software was never secure, and never will be secure because we don't know how to make it secure. Therefore, you will be constantly patching our software in an attempt to make it secure."
    jpr75_z
    • Add Apple And Sun to That List

      Apple writes Quicktime that gets patched all the time, on <b>both</B> platforms. Java has nad numerous patches -- compare it to the .Net runtimes.

      And they're not even operating systems.
      PMC-CON
  • RE: Adobe ships critical PDF Reader, Acrobat patch

    doesn't look like it's available, the Adobe Reader update doesn't pick anything up.
    reverseswing
    • Same here

      Normally Acrobat keeps bugging you about updates being available and then wants to reboot(usually when I'm in the middle of something important/interesting). This time when I try checking for updates, it says no updates are available. Maybe it's waiting for me to start watching a DVD or play a game before getting me to reboot.
      balaknair
  • RE: Adobe ships critical PDF Reader, Acrobat patch

    Available thru the supplied link in the article. After applying the patch, the Adobe Reader "About" tab doesn't indicate the presence of the 8.1.2 security patch 1. Rather poor design, IMHO.
    rregier9
  • RE: Adobe ships critical PDF Reader, Acrobat patch

    Thaks for the info!
    Dewy5
  • RE: Adobe ships critical PDF Reader, Acrobat patch

    Now this is a real mystery to me. When we buy products like Adobe we are always reminded that if we register they can send us notices about issues just like this. Now, has anyone out there received any urgent notices from Adobe about this update? I didn't and I would not have known if I had not read your stuff.
    andrewfurb44@...
    • Amen -- Adobe Didn't Contact This Registered USer Yet.

      NT
      PMC-CON
  • RE: Adobe ships critical PDF Reader, Acrobat patch

    On a related note, have you ever tried to turn off the automatic update to Acrobat Reader? It is impossible as far as I can tell. I prefer to decide when I want to update the product (until it has been vetted) but Acrobat will continually attempt to connect and update until you finally give in.
    impcad
  • RE: Adobe ships critical PDF Reader, Acrobat patch

    I can get Adobe 8 to lock up Vista SP1 every time - just try to fiddle with the opening pdf file (move or resize) too soon - Vista locks up - time to reboot.
    Doctor Neutron
    • Adobe Reader 8.0

      Way back when 8.x came out, it would lock me up or do other bad things. Which is why I searched for and found the 7.0.9 install file and have been running that ever since. Not sure why to upgrade to any 8.x now. Haven't been notified about the patch.

      Bernie
      bernie157
  • 8.1.2 ??

    Apart from this article's notice, the Secunia Software Inspector advised of the update to Adobe Reader. A download and install from the Adobe site however shows that Adobe is still offering up version 8.1.0.137 instead of the newer 8.1.2.215.

    I've tried updating a number of computers today (multiple times). All installed the wrong version.

    What's up with that?
    GVC2031
    • re: 8.1.2??

      Does the built-in update function in Adobe reader offer 8.1.2.215?

      As long as the update is not major, eg 8.1 to 9.0, I would think Adobe reader should offer it.
      JStR2855
  • RE: Adobe ships critical PDF Reader, Acrobat patch

    I blogged about this and covered Windows Vista, XP, 2000, Macs and Linux. This patch is unusual in that, if you start with version 8.1.2 and apply the patch, a standard Help -> About still shows version 8.1.2. According to Adobe you have to do Help -> About Adobe Plug-Ins -> Comments and look for a date on the API file of 6/7/2008. For more see
    http://news.cnet.com/8301-13554_3-9979638-33.html
    Michael Horowitz
    Michael Horowitz
  • RE: Adobe ships critical PDF Reader, Acrobat patch

    Best way to avoid Adobe's inherent inability to produce secure software for what is essentially supposed to be a simple PDF viewer: go elsewhere. I use Foxit, a small, free PDF reader that loads almost instantaneously, doesn't hog disk space nor resources and is very easy to use. How or why Adobe's version went fom being useful software to bloatware I'm not too sure...
    meister2681
  • RE: Adobe ships critical PDF Reader, Acrobat patch

    In my opinion the new version of <a href="http://www.rosoftdownload.com/download/Windows/Adobe-Reader">Adobe Reader</a> software is the global standard for electronic document sharing. It is the only PDF viewer that can open and interact with all PDF documents.
    yman25