Critical vulnerabilities in Adobe Reader and Acrobat plugged
As previously announced, Adobe has released out-of-cycle updates to plug two critical security vulnerabilities in its Reader and Acrobat products. An integer overflow in the CoolType.dll file allowed attackers to inject arbitrary code onto a system when a victim opened a PDF file containing a crafted TrueType font. The second vulnerability allowed attackers to serve users crafted warning messages which could cause them to unwittingly allow execution of an arbitrary local file.
Adobe Reader versions 9.3.3 and earlier for Windows, Mac OS and Linux and Adobe Acrobat version 9.3.3 and earlier for Windows and Mac OS are affected. The updates to version 9.3.4 also bring the applications' Flash Player components bang up to date. Under Windows, the new version is proffered for installation automatically by Adobe's update manager. After updating, a restart is required. Adobe is advising users of version 8 to install the newly released updates to version 8.2.4, in which the vulnerability is also fixed.
The critical integer overflow vulnerability was discovered by security expert Charlie Miller, who presented it publicly at the Blank Hat conference in late July – although it provoked little reaction at the time. Tavis Ormandy of Google's security team also discovered the vulnerability independently and reported it to Adobe.