14 DAY TRIAL // Adobe has released security updates to patch a total of 26 flaws that exist in the older versions of Readers, Acrobat, Shockwave and Flash Players. On the other hand, security experts from Google claim that several problems remain unaddressed.
To secure their computers against malicious code execution, Windows, Mac and Linux users are advised to update their Flash Players to 11.3.300.271 (for Mac and Windows) and 11.2.202.238 (for Linux).
Windows and Macintosh customers who still rely on Adobe Shockwave Player 11.6.5.635 and earlier versions are advised to immediately update to the 11.6.6.636 variant, which patches a number of five bugs that could be exploited to run arbitrary code.
The security updates made available for Adobe Reader and Adobe Acrobat fix 20 vulnerabilities that could allow an attacker to take control of the affected system by leveraging an application crash. To prevent their computers from being exploited, customers are recommended to immediately update to the 10.1.4, respectively the 9.5.2 variants.
However, these patches address only issues that affect Mac and Windows users. According to experts, a total of 16 security holes impacting OS X, Windows, or both operating systems are yet to be fixed in Reader.
Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team – the ones who identified most of the flaws in Acrobat and Reader – fear that Reader users (especially Linux users) are exposed to serious risk.
“Considering that fixing the first twenty four crashes took twelve unique code fixes, it is expected that the remaining crashes might represent around eight more unique problems. Adobe plans to fix these remaining bugs and issue an update for the Linux version of Reader in an upcoming release,” the researchers explain.
“Though we have no evidence these bugs are being exploited today, we are concerned that functional exploits can be built without much effort based on knowledge derived from binary diffing of the old and newly patched Windows builds.”
Since there are no known workarounds for the Linux issues, Jurczyk and Coldwind recommend customers to disable Adobe Reader browser extensions, and to limit the use of the product, especially when opening shady PDF documents.
As far as the unaddressed bugs in the Windows versions are concerned, there is some good news. The sandbox feature present in the Windows variant of Reader X makes the exploitation of the vulnerabilities more difficult, but not impossible.
Adobe Reader is available for download here Adobe Acrobat is available for download here Adobe Flash Player is available for download here Adobe Shockwave Player is available for download here