Adobe fixed six critical
vulnerabilities in its Reader and Acrobat software, including the two zero-day
flaws in its 3D rendering technology identified last month.
The latest update affects Adobe Reader
and Acrobat X for Windows and all versions on the Mac OS X, Adobe said in its security bulletin
10. Adobe fixed three memory corruption vulnerabilities and one heap corruption
vulnerability that could lead to malicious code execution in Adobe Reader and
Acrobat 10.1.2 and 9.5. Adobe also included the Adobe Flash Player update
from November in this month's
Adobe fixed the memory corruption
vulnerabilities in U3D and PRC components that were discovered by Lockheed Martin
's computer incident
response team last month. The company had issued a security bulletin warning
users of the PDF-based attack, but said attackers were only targeting Acrobat
and Reader 9 on Windows.
"These vulnerabilities could cause
the application to crash and potentially allow an attacker to take control of
the affected system," Adobe said in its advisory.
While the company released an emergency patch for Reader and Acrobat 9
Windows in December, the fix for Reader and Acrobat X on Windows and for all
versions on the Mac OS X and Linux platforms was delayed to January's scheduled
quarterly update because the enhanced security features provided by the code
sandbox in Acrobat and Reader X successfully blocked execution of the attack
code in malicious PDF documents.
Reader and Acrobat X users should check
to make sure the security measures are enabled by checking the "Security
(enhanced)" section under the program's preferences menu. The "Enable
Enhanced Security" option should be checked, according to Adobe.
Adobe also added a new feature in
Reader and Acrobat that gives administrators the ability to control whether or
researcher with the Adobe Secure Software Engineering Team
, wrote on
the ASSET blog. Considering most PDF-based attacks use embedded malicious
would help prevent these types of attacks from succeeding. However, it causes
capability allows administrators to identify trusted documents in which
according to Choudhury. The decision on whether to trust the document is based
on the file's Privileged Location value. Administrators will be able to add new
trusted locations, if necessary.
from the user preferences menu, according to Choudhury.
Adobe's update coincided with
Microsoft's Patch Tuesday, and Oracle is scheduled to have its quarterly update
on Jan. 17. Combined with the emergency patches released by Adobe and Microsoft
last month, January will be a "busy patching month" for IT
administrators, said Jim Walter, manager of the McAfee Threat Intelligence
Service at McAfee Labs.
The next quarterly update for Adobe Reader
and Acrobat is scheduled for April 10.