Adobe Reader and Acrobat updates close 17 critical holes

Adobe has released updates 9.3.3 and 8.2.3 for its Reader and Acrobat products to close 17 holes. The vendor says that all the holes can be exploited to inject and execute code. Simply visiting a specially crafted web page with a vulnerable Reader plug-in is enough for an attack to be successful.

Among the holes is the flaw in the authplay.dll library for playing embedded Flash content. After almost three months, Adobe have finally also decided to make it harder for attackers to exploit the /launch function to execute code. The function is part of the PDF specification and can be used for executing embedded scripts and EXE files. Although Adobe Reader asks users to agree to the execution of the file, this dialogue can be designed in such a way that users have no idea they may be allowing an infection into their systems. The vendor previously maintained that the feature is essentially useful and only becomes a problem when misused.

From now on, however, the "Allow opening non-PDF file attachments with external applications" feature will be disabled by default. Alert dialogues will also no longer display the parameters submitted by the attacker, which could confuse users, instead only displaying the name of the application about to be launched. Foxit's PDF viewer's alert dialogue was already redesigned accordingly a few weeks ago.

On their blog, Adobe also announced that only fully patched versions will be offered at the vendor's download centre from mid-July. The download centre has previously only offered major releases (such as version 9.3), which retrieve further patches (for instance to update to 9.3.3) upon installation. Adobe said it was also pleased about the effects of the automatic update feature which was introduced with Reader and Acrobat 9.3.2. Adobe say that it sees users installing updates three times faster than before. By default, the updater downloads an update and requests user confirmation before installing the update but Reader can be configured to silently update and install available updates without requesting user confirmation.

(crve)