14 DAY TRIAL // Adobe has released new versions of its Reader and Acrobat products, addressing a flurry of critical vulnerabilities that could lead to arbitrary code execution. One of the flaws has been actively exploited in the wild since the beginning of the month.
Out of the seventeen vulnerabilities mentioned in the security bulletin accompanying this release, only one affects the UNIX versions of the products. Code execution in case of successful exploitation has been demonstrated for eleven of them, while the last one is described primarily as a denial of service issue.
The most dangerous vulnerability fixed in this release was identified as CVE-2010-1297 and reported as a zero-day on June 4. The flaw is located in the component handling the playback of SWFs embedded in PDF documents and also patched in Flash Player 10.1.53.64.
"Adobe recommends users of Adobe Reader 9.3.2 and earlier versions for Windows, Macintosh and UNIX to update to Adobe Reader 9.3.3. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.3.3, Adobe has provided the Adobe Reader 8.2.3 update.) Adobe recommends users of Adobe Acrobat 9.3.2 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.3. Adobe recommends users of Adobe Acrobat 8.2.2 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.3," the security bulletin reads.
A year ago, the company introduced a quarterly security update cycle for Reader and Acrobat, which for the most part, was not able to honor. Because of zero-day critical security vulnerabilities, it was forced to ship out-of-band patches two times already and even this latest update is an acceleration of the release originally scheduled for July 13.
Even more worrying is that a large number of critical vulnerabilities continue to be found in Adobe Reader, despite the maker's code hardening efforts. "The SPLC [Secure Product Lifecycle] activities have been successful in mitigating threats in new code development, but did not fully address problems in the existing code base. Therefore, an initiative in the current security effort has been focused on hardening at-risk areas of the legacy code. We've applied the latest SPLC techniques against these prioritized sections of each application," Brad Arkin, Adobe's director of product security and privacy, said in May last year.
It's also worth mentioning that Tavis Ormandy, the Google security researcher who recently released details about an unpatched Windows XP Help Center vulnerability in the public domain, is credited with discovering five of the flaws addressed in this release.
The Adobe Reader 9.3.3 and 8.2.3 updates for Windows can be downloaded from here.
The Adobe Reader 9.3.3 update for Mac can be downloaded from here.
The Adobe Reader 9.3.3 update for UNIX can be downloaded from here.
You can follow the editor on Twitter @lconstantin