Adobe Plugs Thirteen Holes in Reader and Acrobat on Patch Tuesday

Adobe has officially started its quarterly update cycle for its Reader and Acrobat products yesterday, by addressing thirteen flaws. This is part of the company's code-hardening efforts, which were announced a few weeks ago.

The Adobe Reader and Acrobat are currently deployed in millions of computers around the world in both home and enterprise environments, just like Flash Player or Sun's Java Runtime Environment (JRE). However, such a wide adoption also makes these products a favorite target for cybercrooks looking to distribute their malware.

The recent wave of highly critical vulnerabilities accompanied by zero-day exploits and attacks, as well as the company's rather slow incident response, which many security researchers have criticized, eventually prompted Adobe to take measures. Therefore, at the end of May, Brad Arkin, Adobe's director of product security and privacy, announced upcoming plans to improve the incident response process and prevent future vulnerabilities.

Amongst the intended changes was aligning the Adobe Reader and Acrobat update cycle with Microsoft's Patch Tuesday. The first quarterly batch of this sort arrived yesterday and fixed thirteen externally discovered flaws, which, according to the published advisory, could "cause the application to crash and could potentially allow an attacker to take control of the affected system."

In addition, this release also resolves undisclosed issues discovered by Adobe internally. Unfortunately, it is only available for the product versions running on Windows or Mac. "Adobe recommends users of Adobe Reader and Acrobat [to] update their product installations to versions 9.1.2, 8.1.6, or 7.1.3," the advisory notes. UNIX users will have to wait until June 16 for the fixes.

The publicly disclosed vulnerabilities addressed by this update are identified in MITRE's Common Vulnerabilities and Exposures as CVE-2009-1855, CVE-2009-1856, CVE-2009-1857, CVE-2009-1858, CVE-2009-1859, CVE-2009-0198, CVE-2009-0509, CVE-2009-0510, CVE-2009-0511, CVE-2009-0512, CVE-2009-0888, CVE-2009-0889 and CVE-2009-1861.

Wendy Poland of Adobe's Product Security Incident Response Team notes that this "first quarterly security update […] incorporates the initial output of code hardening efforts." These efforts involve reviewing the old code base of Adobe Reader and Acrobat, which predates the Secure Product Lifecycle introduced in 2005, and which is currently the main source of security issues.

The 9.1.2, 8.1.6 and 7.1.3 updates are available for download here.