14 DAY TRIAL // Adobe has released its second quarterly security update, which addresses 29 vulnerabilities in its Reader and Acrobat products. Exploitation of the majority of these flaws could result in arbitrary code execution and one of them is already being actively targeted in Web attacks since last week.
On October 8, Adobe announced that an unpatched vulnerability affecting the latest versions of Adobe Reader and Acrobat was being exploited in the wild via maliciously crafted PDF files. This flaw, identified as CVE-2009-3459, has now been patched in the newly released Adobe Reader/Acrobat 9.2.0, 1.8.7 and 7.1.4, respectively.
Ten other confirmed arbitrary code execution vulnerabilities affecting both products have been patched, as well as three for which this condition has not been demonstrated but might be possible. Another three similar flaws that affected only Adobe Acrobat have also been addressed. The rest of the security issues have implications such as privilege escalation, denial of service, restriction bypassing, certificate forging or cross-site scripting.
David Lenoe from Adobe's Product Security Incident Response Team (PSIRT) advises users to immediately apply the update for their respective product version. He also notes that "with support for Adobe Reader 7.X and Acrobat 7.X ending in December 2009, this is the last scheduled update planned for Adobe Reader 7.X and Acrobat 7.X." Therefore, users still using this edition for whatever reason should seriously consider updating to 8.x or 9.x.
But vulnerability patches are not the only thing this quarterly update brings. It also introduces a new beta updater, which is set to replace the currently ineffective patch delivery procedure. One of the main reasons for which Adobe Reader is constantly targeted by cybercriminals is the high percentage of users that fail to update it.
The new updater plans to change that and according to Steve Gottwals, senior product manager for security solutions at Adobe, it will "keep end-users up-to-date in a much more streamlined and automated way." Even though this update will contain the new updater technology, it will not be active by default. For starters, Adobe will activate it for a number of users invited to participate in its beta testing program.
In addition, the new Adobe Reader and Acrobat versions will contain changes to the security user interface and control. One of these is a feature called the JavaScript Blacklist Framework, which will allow selective blocking of specific JavaScript API calls. This will help mitigate zero-day attacks that target a vulnerability in a specific JavaScript function without entirely disabling JavaScript.
Adobe Reader 9.2.0, 1.8.7 and 7.1.4 updates can be downloaded from here. Adobe Acrobat Professional 9.2.0 update can be downloaded from here. Adobe Acrobat Pro Extended 9.2.0 update can be downloaded from here. Adobe Acrobat 3D 8.1.7 update can be downloaded from here.