Adobe Releases Patches For Security Flaws In Reader And Acrobat

Adobe, as part of its routine updates, in its foremost round on June 9, 2009, released patches for a number of "critical" security flaws it detected in Adobe Acrobat 9.1.1 and Reader 9.1.1, and previous versions.

Said Adobe via its security advisory, these flaws could result in the collapse of applications as well as potentially allow a hacker to compromise a vulnerable system. However, no single flaw from the list has been exploited so far, Adobe said.

Meanwhile, attackers have been increasingly targeting Adobe's software as they discovered methods to plant malware on users' computers with tricks against victims that make them view a maliciously crafted .pdf file.

Thus according to the advisory, users of Acrobat and Reader need to update their software and adopt versions 7.1.3, 8.1.6, or 9.1.2. While these updates are suitable for Macintosh and Windows, updates pertaining to Adobe Reader that are applicable for UNIX platforms will be released not until June 16, 2009.

In particular, the updates deal with problems like heap overflow; memory corruption; and stack overflow vulnerabilities, all of which could potentially allow execution of malicious code.

Further, Adobe describes a security flaw as "critical" if, after abuse, it leads to execution of malicious native-code that the user does not get to know of.

Understandably, Adobe has been pressurized to raise the level of security on the Acrobat and Reader software that are now the most preferred applications for researchers as well as attackers. Meanwhile 2 dominant zero-day flaws have got exposed within Reader this year (2009).

Also understood is that Adobe's PDF applications are highly targeted outside software on Windows, accounting for almost 50% of the total targeted attacks against software applications.

Meanwhile, according to security researchers, the general absence of routine patch installations by Adobe users, particularly consumers is responsible for most of the security woes of the company.

Additionally, CTO Wolfgang Kandek of Qualys, after tracking the patch activity of Adobe users, comments that merely 20% of Adobe Reader applications were really patched between March and May, the two months when the company issued patches, reports DarkReading on June 9, 2009.

Related article: Adobe Rates Acrobat Vulnerabilities “Critical”

» SPAMfighter News - 6/15/2009