madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Critical flaws haunt Adobe PDF Reader, Acrobat

By | April 13, 2010, 11:48am PDT

Summary: The update is rated “critical” because of the risk of remote code execution attacks via rigged PDF files.

Adobe dropped a bumper patch for its PDF Reader and Acrobat today to fix 15 documented security holes that expose Windows, Mac and UNIX users to malicious hacker attacks.

The update is rated “critical” because of the risk of remote code execution attacks via rigged PDF files.

According to an advisory from Adobe, the vulnerabilities affect Adobe Reader 9.3.1 (and earlier versions) for Windows, Macintosh, and UNIX, Adobe Acrobat 9.3.1 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.1 (and earlier versions) and Adobe Acrobat 8.2.1 (and earlier versions) for Windows and Macintosh.

These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

This patch batch also coincides with the release of a new automatic update for the Reader/Acrobat software.  The default installation configuration runs automatic updates on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Here are the raw details on the 15 documented vulnerabilities:

  • A cross-site-scripting vulnerability that could lead to code execution (CVE-2010-0190).
  • A prefix protocol handler vulnerability that could lead to code execution (CVE-2010-0191).
  • A denial-of-service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-0192).
  • Denial-of-service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-0193).
  • A memory corruption vulnerability that could lead to code execution (CVE-2010-0194).
  • This update resolves a font handling vulnerability that could lead to code execution (CVE-2010-0195).
  • A denial-of-service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-0196).
  • A memory corruption vulnerability that could lead to code execution (CVE-2010-0197).
  • A buffer overflow vulnerability that could lead to code execution (CVE-2010-0198).
  • A buffer overflow vulnerability that could lead to code execution (CVE-2010-0199).
  • A memory corruption vulnerability that could lead to code execution (CVE-2010-0201).
  • A buffer overflow vulnerability that could lead to code execution (CVE-2010-0202).
  • A buffer overflow vulnerability that could lead to code execution (CVE-2010-0203).
  • A memory corruption vulnerability that could lead to code execution (CVE-2010-0204).
  • A heap-based overflow vulnerability that could lead to code execution (CVE-2010-1241).

Also see this important note from Adobe’s Brad Arkin on the new automatic updater that was released today.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Adobe Systems Inc., Adobe PDF, Adobe Acrobat, Patch Management, Patches, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 22 Talkback(s)

  • Annoyingly
    Adobe reader doesn't warn you that there's an update available, not on my copy anyway. I had to use the 'check for updates' option on the menu.
    ZDNet Gravatar
    AndyPagin
    14th Apr 2010
  • The download on their website is still 9.3.0
    Adobe just isn't really serious about security
    ZDNet Gravatar
    zmud
    14th Apr 2010
  • Your correct.
    The Adobe Reader page shows 9.3.0 which they should have the full installable version of 9.3.2 now on that page. You need to go to the download update page before you get the update version (not full installable version) of Adobe Reader 9.3.2.
    ZDNet Gravatar
    phatkat
    14th Apr 2010
  • Strange ...
    ... I requested the 9.3.2 update ... and the process seemed to go straight through my outbound firewall rules (normally I expect a prompt).

    I've checked and Acrobat Reader is not allowed to dial home.

    Wonder how it did that?
    ZDNet Gravatar
    johnfenjackson@...
    14th Apr 2010
  • Again?
    Again? Ooooh, please. I just want to read a PDF, I don't want a full runtime environment to execute viruses and trojans!

    Adobe should stop building a malware playground and start giving just a simple reader. Wasn't that the point of Adobe Reader in the first place?

    Regards,

    MV
    ZDNet Gravatar
    MV_z
    14th Apr 2010
  • and Again....
    Adobe Reader used to be a small program that did 1 thing, allow a user to read PDF. I Agree, Adobe just make one that read's PDFs. Doesn't execute boo just let me look at PDFs in peace.
    ZDNet Gravatar
    WmTConqror
    14th Apr 2010
  • Use Foxit Reader instead
    As a computer technician, I see hundreds of PCs where the version of Adobe Reader is what originally came on the PC (saw Adobe Reader 4.0 yesterday!) or 6+ months out-of-date.

    Instead of Adobe Reader, I've been installing Foxit Reader (http://www.foxitsoftware.com/pdf/reader/) for quite some time. It does viewing/printing/searching (etc) just fine without all the unnecessary bells-and-whistles.

    Perfect substitute for 95% of my home customers; and about 90% of my corporate customers.
    ZDNet Gravatar
    glricht
    14th Apr 2010
  • I was but...
    I had put Foxit on all my windows computers a
    while back, but when I updated to the latest
    version a few bonus installs tagged along
    (foxit tool bar, ask.com as default search,
    changed home page). I understand that they are
    adding these things so they can make some money
    off their free software, but I had unchecked
    the "Install Foxit Toolbar" box and it
    installed anyway. So I'm still not going to
    use Adobe, but I'm going to avoid Foxit as
    well. If they can't get a checkbox right in
    their installer, then can I really trust them
    with PDFs?
    ZDNet Gravatar
    baboddonggae
    14th Apr 2010
  • RE: Critical flaws haunt Adobe PDF Reader, Acrobat
    Adobe, we need an enterprise patch tool, now! You have
    more vulnerabilities than any other vendor and it is
    killing us.
    ZDNet Gravatar
    brett@...
    14th Apr 2010
  • there are ways
    They do make available .msi versions of the full product and .msp versions of the patchs. In Windows environments you can deploy those via GPO if your not a big enough shop for MS system center or Altiris
    ZDNet Gravatar
    JustAITGuy
    14th Apr 2010
  • Is Steve Jobs Right about Adobe?
    Adobe seems to be as, if not more problematic about
    security than Microsoft. I've downloaded the update to v.
    9.3.2 and now Reader won't close.

    I'm beginning to feel that Mr. Jobs was right in keeping
    Adobe off of Apple's portable devices.

    Now, I'll hit Restart, damn
    ZDNet Gravatar
    ebhb2004@...
    14th Apr 2010
  • Adobe Reader, TaskMan before Restart
    If by "hit Restart" you mean a hardware button, that should be a last resort. First try Task Manager to kill the errant Application. If it isn't displayed under that tab, check the Processes tab.
    ZDNet Gravatar
    AlterGeek
    14th Apr 2010
  • RE: Critical flaws haunt Adobe PDF Reader, Acrobat
    That's consistent with what they have always been doing. I've never seen them go to the effort to make a full installer when patches come out.
    ZDNet Gravatar
    raynebc@...
    14th Apr 2010
  • 9.3.N is a huge dud! Will Foxit fix this??
    All I want is a reader that enables me to directly open a pdf that I receive in Outlook. This was always the case before. Since I downloaded 9.3.1, I have to copy the pdf to my desktop and then open Adobe and finally open the pdf. I did find a workaround written by someone (and downloading that program is full of virus possiblities). Apparently, Adobe is fully aware of this flaw and have done nothing to correct it.
    ZDNet Gravatar
    dony_z
    14th Apr 2010
  • UNINSTALL Adobe...
    THEN install Foxit. You state you're still opening in Adobe.
    Set Foxit as your default to open PDF. Problem solved.
    ZDNet Gravatar
    janitorman
    14th Apr 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here