Adobe has issued an emergency patch to address a critical flaw in Reader and Acrobat
The flaw was detailed at the recent Black Hat Conference and can be exploited by an attacker to corrupt memory via a specially crafted PDF file. The updates, Adobe Reader and Acrobat versions 9.3.4 and 8.2.4, fix an integer overflow error in the way the PDF viewer parses fonts.
The vulnerability could allow an attacker to execute arbitrary code on an affected system, according to Adobe's security bulletin. Adobe admitted that it was considering releasing the fix during its normal quarterly cycle in October, but decided to update now even though there are no reported exploits. Adobe is scheduled to release the next quarterly security updates for Reader and Acrobat on 12th October.
Andrew Storms, director of security operations at nCircle, said: “Adobe has definitely improved their release mechanism. This time they sent a communication stating that they would deliver an out-of-band patch. Unfortunately, since the first announcement, the exact date for the release has changed, leaving enterprise security teams scratching their heads.
“Adobe's initial inability to provide an exact release date leaves a lot of users feeling queasy about their release engineering cycle. Adobe still has a long way to go in providing useful details with their security bulletins, especially compared with other vendors. As usual, this one lacks useful details and mitigation information.”
Wolfgang Kandek, CTO at Qualys, said: “The vulnerability is critical and can be used to take control of the targeted computer and should be addressed as soon as possible. The update also includes the update to Flash (Adobe Reader brings its own embedded Flash version) released last week - APSB10-016 and further improves the handling of vulnerability CVE-2010-1240, which was first addressed in June in APSB10-015.”
Despite the flaw being disclosed by Charlie Miller, principal security analyst at consulting firm Independent Security Evaluators at Black Hat, Adobe credited Tavis Ormandy for the discovery of the vulnerability.
Writing on his Twitter page, Miller said: “Adobe would like to thank [Ormandy] but would not like to thank me. Would have cost them bandwidth to thank two I guess. Oh well, getting your name in an advisory is fun, but it's not as fun as dropping zero-days in your Black Hat talk.”
Kandek said: “It seems that Tavis reported the vulnerability to Adobe before Charlie's Black Hat presentation. This is an example that illustrates an effect that security researchers have long tried to call attention to: it is possible and seems to happen every once in a while that vulnerabilities are discovered independently, both by security researchers and/or malware writers. Tipping Point's ZDI initiative would be in a position to publish statistics on how often they have such an overlap.”