/>
X
Business

Critical flaws haunt Adobe PDF Reader, Acrobat

The update is rated "critical" because of the risk of remote code execution attacks via rigged PDF files.
ryan-naraine.jpg
Written by Ryan Naraine on

Adobe dropped a bumper patch for its PDF Reader and Acrobat today to fix 15 documented security holes that expose Windows, Mac and UNIX users to malicious hacker attacks.

The update is rated "critical" because of the risk of remote code execution attacks via rigged PDF files.

According to an advisory from Adobe, the vulnerabilities affect Adobe Reader 9.3.1 (and earlier versions) for Windows, Macintosh, and UNIX, Adobe Acrobat 9.3.1 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.1 (and earlier versions) and Adobe Acrobat 8.2.1 (and earlier versions) for Windows and Macintosh.

These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

This patch batch also coincides with the release of a new automatic update for the Reader/Acrobat software.  The default installation configuration runs automatic updates on a regular schedule and can be manually activated by choosing Help > Check for Updates.

Here are the raw details on the 15 documented vulnerabilities:

  • A cross-site-scripting vulnerability that could lead to code execution (CVE-2010-0190).
  • A prefix protocol handler vulnerability that could lead to code execution (CVE-2010-0191).
  • A denial-of-service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-0192).
  • Denial-of-service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-0193).
  • A memory corruption vulnerability that could lead to code execution (CVE-2010-0194).
  • This update resolves a font handling vulnerability that could lead to code execution (CVE-2010-0195).
  • A denial-of-service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-0196).
  • A memory corruption vulnerability that could lead to code execution (CVE-2010-0197).
  • A buffer overflow vulnerability that could lead to code execution (CVE-2010-0198).
  • A buffer overflow vulnerability that could lead to code execution (CVE-2010-0199).
  • A memory corruption vulnerability that could lead to code execution (CVE-2010-0201).
  • A buffer overflow vulnerability that could lead to code execution (CVE-2010-0202).
  • A buffer overflow vulnerability that could lead to code execution (CVE-2010-0203).
  • A memory corruption vulnerability that could lead to code execution (CVE-2010-0204).
  • A heap-based overflow vulnerability that could lead to code execution (CVE-2010-1241).

Also see this important note from Adobe's Brad Arkin on the new automatic updater that was released today.

Editorial standards

Related

How to use your phone to diagnose your car's 'check engine' light
BlueDriver Bluetooth dongle

How to use your phone to diagnose your car's 'check engine' light

Don't let Janet Jackson's 'Rhythm Nation' crash your old laptop
the-old-hard-disk-drive-is-disintegrating-in-space.jpg

Don't let Janet Jackson's 'Rhythm Nation' crash your old laptop

Google Play malware: If you've downloaded these malicious apps, delete them immediately
a-man-sitting-in-his-living-room-looking-at-his-smartphone-with-concern

Google Play malware: If you've downloaded these malicious apps, delete them immediately