Adobe Systems Inc. resolved a cross-site scripting (XSS) vulnerability and a number of memory corruption and buffer overflow flaws in its PDF applications Tuesday, as part of its quarterly patching cycle. The latest update was issued using Adobe's new updater program, designed to speed up patch deployments.
In all, the software vendor repaired 15 flaws in Adobe Reader 9.3.1 and Acrobat 8.2.1 for Windows, Macintosh and UNIX. In its security bulletin, Adobe said some of the flaws could cause the applications to crash while others could allow an attacker to execute code remotely to take control of an affected system.
Adobe patch deployments:
Trusteer CEO criticizes Adobe, touts better patch deployments: Despite critical Flash and Adobe Reader updates July 30, only a fraction of Adobe users have installed them, Trusteer says. Trusteer's CEO urges better patching mechanisms.
Video - Vulnerability mitigation study shows need for faster patching: Qualys CTO Wolfgang Kandek says vendors and administrators need to find ways to speed up the patching cycle.
Adobe Reader 9.3.2 and Adobe Acrobat 9.3.2 also fix several denial of service vulnerabilities, two memory corruption errors and four buffer overflow vulnerabilities that could lead to code execution.
Adobe released the update via its new updater program, which it has been testing with some of its customers since January. In a blog post last week, Steve Gottwals, a product manager at Adobe, wrote that the testing resulted in a number of changes to the updater graphical interface to improve the end user experience as well as some tweaks to boost performance.
"The new updater has been optimized for each platform," Gottwals wrote. "To avoid disturbing the user, the new updater favors a time when the system is not busy to install new updates without user intervention."
Adobe has come under pressure to improve its patch release. It's Reader and Acrobat applications have been increasingly targeted by attackers using malicious PDF files. Research from antivirus vendor, F-Secure Corp. found that about half of targeted attacks against file types were against PDFs. Meanwhile, researchers at vulnerability management vendor Qualys Inc. found that users of Adobe products are slow to deploy the latest patches. Gottwals said Adobe hopes its new updater will speed up the patch deployment process.
The updater gives users an option to "automatically install updates." The option enabled by default prompts the user to install the update. Gottwals said Adobe has no plans to enable automatic installation by default.
"We are currently evaluating options for the best long-term solution for users, which could involve presenting the user with an opt-in screen for the automatic update option as part of the next phase in the roll-out," he said.