Adobe: hole closed, hole open

Keeping track of which versions of which Adobe products have how many holes is beginning to be difficult. Adobe has confirmed a further unpatched hole in Adobe Reader that can very likely be exploited to infect a PC. Apparently, a flawed JavaScript function (Doc.printSeps) is responsible for the critical hole. An exploit is already in circulation, but it only causes the application to crash.

Adobe brought forward the release of the announced update for Flash Player to today (Friday), although the originally scheduled release date was the 9th of November. The update closes 18 security holes and includes the hole discovered last week. Flash Player 10.1.102.64 is available to download for Windows, Linux and Mac OS. An update for Android is to be released next week.

The new Adobe Reader hole affects all versions from 9.2, or 8.1, for Windows, Unix and Mac OS X onwards. Adobe said that its Acrobat product is not affected by this hole. However, this doesn't mean that Acrobat is safe, as the update for the hole in authplay.dll in Flash Player, which also affects the Reader, has yet to be released. While Adobe announced that an update for Reader and Acrobat will be released in the week beginning on the 15th of November, it remains unclear whether this update will also fix the new problem, or whether the update will now be postponed.

At least, Adobe's warning includes instructions on how to use the JavaScript blacklist to prevent the vulnerable JavaScript function from being called in the various operating systems. Unfortunately, the instructions don't mention whether using the blacklist has any effect on the applications operation.

Meanwhile, security specialist Secunia has reported a new problem for the recently updated Shockwave Player: Opening the "Shockwave Settings" may cause an unloaded library to be called and can potentially be exploited to inject and execute arbitrary code via a specially crafted web page.

(crve)