Adobe patches 8 bugs in popular PDF apps

by Gregg Keizer
Be the first to comment | I like it!
Tags: Adobe, Adobe Reader, patch, PDF
More »
on this topic
November 5, 2008, 01:37 PM —  Computerworld — 

Adobe Systems Inc. Tuesday patched its Reader application for the fifth time this year, plugging eight security holes, including one that was reported to the company more than five months ago.

In late May, researchers at Core Security Technologies told Adobe of a critical vulnerability in Adobe Reader and Adobe Acrobat, the free-of-charge and for-a-fee programs, respectively, that handle PDF (Portable Document Format) files. The bug, which could be used by hackers to launch attack code against Windows, Mac or Linux computers, was found in older versions of the software.

Version 8.1.2 of Acrobat and Reader harbor the vulnerability, Core Security said in an advisory issued early Tuesday. Newer versions of the programs, Acrobat 9 and Reader 9, which were released in June, are immune.

Attackers could exploit the buffer overflow vulnerability with specially crafted PDF files, Core Security said.

Reader 8.1.2 was itself prompted by several bugs, some of which were actively exploited in the wild before Adobe could issue the update last February. In June, Adobe released a security update to 8.1.2 to plug yet another hole. That vulnerability had also been exploited by attackers before Adobe reacted.

At the time, a security expert blasted Adobe for what he called an "epidemic" of JavaScript bugs in Reader and Acrobat.

The flaw disclosed Tuesday by Core Security also involved JavaScript. "The vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the 'util.printf()' JavaScript function," said Core Security's advisory.

Core Security uncovered the bug when it dug into an earlier-reported vulnerability in Foxit Reader, a free Reader clone available for Windows and Linux. Although that bug was found to be harmless to Adobe's applications, on further review, Core Security found a second flaw that could, in fact, be used to attack systems.

Core Security reported its findings to Adobe on May 20, but numerous back-and-forths and two patch postponements delayed the coordinated release of security advisories until Tuesday.

Ironically, while Foxit was able to patch against its bug in less than a month, Adobe took more than five times longer to issue fixes for its Acrobat and Reader. Ivan Arce, Core Security's chief technology officer, declined to speculate about why Adobe took so long to patch its programs, other than to point out that Tuesday's update fixed eight flaws altogether.

As to the frequent patching Adobe has had to do on the programs, particularly to quash JavaScript-related bugs, Acre had an opinion, however. "Reader is huge, and it has a lot of functionality," he said Tuesday. "Big and complex software tends to have more implementation bugs than simple and easy-to-maintain software."

Shortly after Core Security published its advisory, Adobe followed with its own. The advisory offered links to updates to Reader 8.1.3 and Acrobat 8.1.3, and included terse descriptions of the other seven vulnerabilities patched Tuesday, which included additional input validation bugs, a pair of flaws in Reader's download manager and a vulnerability that had been published publicly last May.

Adobe said it had no reports of active attacks using any of the eight vulnerabilities, something Core Security echoed for the flaw it had reported. "We told them, 'Look, this is fine, we'll wait for your patch'," said Arce, referring to conversations with Adobe when the vendor postponed its patch. "But we said, 'If we detect it in the wild, we'll release [our advisory] so people will know what to do. So far we haven't seen any attacks."

Users running Adobe Reader or Acrobat 9 don't need to take any action to protect their machines.

» posted by ITworld staff

Computerworld

I like it!
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
Free books

Essential JavaFX
Get started building rich Web apps quickly with an introduction to the power of JavaFX key features -- scene node graphs, nodes as components, the coordinate system, layout options, colors and gradients, custom classes with inheritance, animation, binding, and event handlers.Enter now!

The Nomadic Developer
Consulting can be hugely rewarding, but it's easy to fail if you are unprepared. To succeed, you need a mentor who knows the lay of the land. Aaron Erickson is your mentor, and this is your guidebook. Enter now!

Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
Marketplace