06 October 2010, 10:37

Adobe patches 23 holes in Reader and Acrobat

Adobe Logo As previously announced at the end of last week, Adobe has issued security updates for its Reader and Acrobat products that patch a total of 23 holes in the PDF applications, including some that are already being actively exploited in the wild. The updates address several critical vulnerabilities, including a critical security hole, known since early September, that allows attackers to gain control of users' systems via specially crafted PDF files.

Additionally, the updates fix a number of other holes that could lead to, for example, a Denial of Service (DoS) situation and the remote execution of arbitrary code on all platforms. Versions up to and including Adobe Reader 9.3.4 and Adobe Acrobat 9.3.4 on Windows Mac OS X and UNIX are all reportedly affected. Adobe notes that a privilege escalation issue on Linux systems has also been addressed.

The company reminds users that, as its October 12th patch day was moved forward by one week, no further patches will be released on that date. Unless something major occurs, the next quarterly patch day is scheduled for the 8th of February, 2011.

Further details about the updates, including a full list of vulnerabilities closed, can be found in the security advisory from Adobe. All users are advised to upgrade to the latest releases, version 9.4 and 8.2.5 of Reader and Acrobat, as soon as possible.

Future versions of Reader, likely version 10, will include a sandbox which should make it less of a target for attackers by using what the company calls Adobe Reader "Protected Mode". Adobe says that the sandbox will be activated by default and block write access to Windows systems from within the application. In a post on the Adobe Secure Software Engineering Team Blog, Senior Security Researcher and Technical Lead at Adobe Kyle Randolph details some of the design decisions that the security team has made for Protected Mode.

See also: