Adobe Systems Inc. issued an emergency update to its Acrobat and Reader applications, repairing two critical vulnerabilities that could be used by attackers to crash the program and take control of an affected system.
In a security bulletin issued Tuesday, Adobe said the vulnerabilities affected Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh. Adobe urges users to update to versions 9.3.1 or 8.2.1.
Adobe addressed an issue with Flash Player that enables an attacker to bypass process sandboxing within Reader and Acrobat to make anonymous requests to third-party websites. Adobe said the flaw is critical. The flaw enables an attacker to redirect components within embedded flash in PDF files to malicious webpages, either causing the Flash Player to display unauthorized material or trick the victim into downloading malware.
A second critical vulnerability causes the application to crash and could enable an attacker to execute code remotely and install malware, taking over a victim's machine. No details on the vulnerability are currently available. It was credited to the Microsoft Vulnerability Research Program (MSVR). MSVR is Microsoft's responsible disclosure program for reporting vulnerabilities that its engineers discover in third-party applications running on Windows.
Danish vulnerability clearinghouse Secunia gave the update a highly critical rating.
Adobe issued a critical update to its Flash Player last week, repairing the same sandboxing bypass vulnerability in Flash Player versions 10.0.42.34 and earlier, as well as Adobe AIR versions 22.214.171.12420 and earlier.
- Robert Westervelt