News

Adobe repairs critical Reader, Acrobat flaws, adds JavaScript control

Robert Westervelt, News Director

Adobe Systems Inc. issued its quarterly security update Tuesday, repairing six critical vulnerabilities in its Reader and Acrobat software.

    Requires Free Membership to View

Having this ability to gain more control over JavaScript support is something that is needed in enterprise environments.

Wolfgang Kandek, CTO, Qualys Inc.

The Adobe security update affects Adobe Reader X and Adobe Acrobat X 10.1.1 and earlier versions for Windows and Mac. “These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system,” the company said in the Adobe security update outlining the repairs.

Adobe also issued a new feature in Reader and Acrobat, giving administrators more control over the execution of JavaScript embedded in PDF files. Administrators now have a whitelisting capability to disable JavaScript, but allow it for trusted documents.

“If a document is trusted, JavaScript execution will be allowed; but if it is untrusted, Adobe Reader and Acrobat will prevent all JavaScript execution,” Adobe’s software engineering team said in a blog entry outlining the new JavaScript control feature. “The trust decision is based on Privileged Locations.”

“Most of the attacks carried out using Adobe involve JavaScript in one way or another,” said Wolfgang Kandek, CTO of Redwood Shores, Calif.-based vulnerability management vendor Qualys Inc. “Having more control over JavaScript support is something that is needed in enterprise environments.

If administrators want to disable all JavaScript support, a Javascript lockdown capability can be enabled while disabling Trust Location. This prevents users from adding Privileged Locations, Adobe said.

Adobe said the update also includes fixes for two Adobe vulnerabilities that were addressed last month. The next quarterly security updates for Adobe Reader and Acrobat are scheduled for April 10. Adobe issued an out-of-cycle patch last month, repairing a U3D Memory Corruption Vulnerability that was part of a targeted attack and discovered by Lockheed Martin’s computer incident response team.

The next quarterly security updates for Adobe Reader and Acrobat are scheduled for April 10.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: