Adobe issues emergency update, repairs critical Reader flaw

Adobe said a critical vulnerability could cause the application to crash and potentially allow an attacker to install malware and take control of the affected system.

Adobe Systems Inc. issued an emergency update to its Acrobat and Reader applications, repairing two critical vulnerabilities that could be used by attackers to crash the program and take control of an affected system.

In a security bulletin issued Tuesday, Adobe said the vulnerabilities affected Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh. Adobe urges users to update to versions 9.3.1 or 8.2.1.

Flash Player update:
Adobe issued an out-of-band fix, repairing a critical security vulnerability in Flash Player. The update affects Flash Player versions 10.0.42.34 and earlier, as well as Adobe AIR versions 1.5.3.9120 and earlier. According to Adobe, the Flash flaw could enable an attacker to bypass restrictions and make anonymous requests to malicious third-party sites, poisoning Flash ads and videos.

Adobe addressed an issue with Flash Player that enables an attacker to bypass process sandboxing within Reader and Acrobat to make anonymous requests to third-party websites. Adobe said the flaw is critical. The flaw enables an attacker to redirect components within embedded flash in PDF files to malicious webpages, either causing the Flash Player to display unauthorized material or trick the victim into downloading malware.

A second critical vulnerability causes the application to crash and could enable an attacker to execute code remotely and install malware, taking over a victim's machine. No details on the vulnerability are currently available. It was credited to the Microsoft Vulnerability Research Program (MSVR). MSVR is Microsoft's responsible disclosure program for reporting vulnerabilities that its engineers discover in third-party applications running on Windows.

Danish vulnerability clearinghouse Secunia gave the update a highly critical rating.

Adobe issued a critical update to its Flash Player last week, repairing the same sandboxing bypass vulnerability in Flash Player versions 10.0.42.34 and earlier, as well as Adobe AIR versions 1.5.3.9120 and earlier.

- Robert Westervelt

Dig deeper on Securing Productivity Applications

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close