Adobe repairs critical Reader, Acrobat flaws, adds JavaScript control

The January 2012 update includes repairs to Adobe Reader X and a new feature giving administrators the ability to whitelist JavaScript execution.

Adobe Systems Inc. issued its quarterly security update Tuesday, repairing six critical vulnerabilities in its Reader and Acrobat software.

Having this ability to gain more control over JavaScript support is something that is needed in enterprise environments.

Wolfgang Kandek, CTO, Qualys Inc.

The Adobe security update affects Adobe Reader X and Adobe Acrobat X 10.1.1 and earlier versions for Windows and Mac. “These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system,” the company said in the Adobe security update outlining the repairs.

Adobe also issued a new feature in Reader and Acrobat, giving administrators more control over the execution of JavaScript embedded in PDF files. Administrators now have a whitelisting capability to disable JavaScript, but allow it for trusted documents.

“If a document is trusted, JavaScript execution will be allowed; but if it is untrusted, Adobe Reader and Acrobat will prevent all JavaScript execution,” Adobe’s software engineering team said in a blog entry outlining the new JavaScript control feature. “The trust decision is based on Privileged Locations.”

“Most of the attacks carried out using Adobe involve JavaScript in one way or another,” said Wolfgang Kandek, CTO of Redwood Shores, Calif.-based vulnerability management vendor Qualys Inc. “Having more control over JavaScript support is something that is needed in enterprise environments.

If administrators want to disable all JavaScript support, a Javascript lockdown capability can be enabled while disabling Trust Location. This prevents users from adding Privileged Locations, Adobe said.

Adobe said the update also includes fixes for two Adobe vulnerabilities that were addressed last month. The next quarterly security updates for Adobe Reader and Acrobat are scheduled for April 10. Adobe issued an out-of-cycle patch last month, repairing a U3D Memory Corruption Vulnerability that was part of a targeted attack and discovered by Lockheed Martin’s computer incident response team.

The next quarterly security updates for Adobe Reader and Acrobat are scheduled for April 10.

Dig deeper on Security patch management and Windows Patch Tuesday news

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close