14 DAY TRIAL // Adobe has released updates to its Reader and Acrobat products in order to address two critical vulnerabilities that can allow attackers to execute arbitrary code.
One of the patched bugs is an integer overflow flaw identified as CVE-2010-2862, that was publicly disclosed last month by security researcher Charlie Miller during his Black Hat presentation.
Even though the Security Bulletin mentions that the vulnerability "was discussed at the Black Hat USA 2010 security conference," Adobe credits Google security engineer Tavis Ormandy with its discovery.
Apparently this is one of the relatively rare cases where two security researchers discover the same vulnerability independently of each other. In this case Mr. Ormandy reported it to Adobe first and in private.
Judging by its CVE ID, CVE-2010-1240, the second issue addressed is related to the /Launch social engineering attack described by Belgian researcher Didier Stevens in April.
This bug was originally patched in Adobe Reader 9.3.3 and 8.2.3 back in June, but a workaround was discovered a day later by Vietnamese antivirus vendor Bkis.
Users are strongly encouraged to update to the newly released Adobe Reader 9.3.4 or 8.2.4 for their respective platforms, as well as Adobe Acrobat 9.3.3 or 8.2.4, depending on the branch they use.
The company points out that the new Reader and Acrobat versions "also incorporate the Adobe Flash Player update as noted in Security Bulletin APSB10-16." [link added]
This is important because both products support SWF playback through a Flash interpreter bundled in their installations as authplay.dll.
However, because this file does not get upgraded during a normal Flash Player update, users remained exposed to Flash-based exploits embedded inside PDF documents
Even if that risk was mitigated for now, the situation might repeat itself in the future because unlike Adobe Reader and Acrobat updates which follow a uniform release cycle, Flash Player patches are put out whenever they are needed.