Adobe Systems reports plugging 17 security holes, including one that has been exploited by attackers to infect users.
Adobe Systems on June 29 plugged
17 critical security holes
affecting Adobe Reader and Acrobat.
Among the fixes is a patch for a zero-day
that impacted not only Reader and Acrobat, but versions of
Adobe Flash Player as well, on multiple operating systems. Earlier in June,
attackers were seen using the bug to plant backdoor Trojans on vulnerable
Also among the bevy of patches is a fix for a situation demonstrated
by security researcher Didier Stevens
earlier in 2010, in which a PDF
reader's "/launch" command could be abused to run malicious embedded
"[The June 29] update includes changes to resolve the misuse of this
command," blogged Steve Gottwals,
group product manager for Adobe Reader.
"We added functionality to
block any attempts to launch an executable or other harmful objects by default.
We also altered the way the existing warning dialog works to thwart the known
social engineering attacks."
When the feature is enabled, the user will get a warning message when
Almost all the vulnerabilities are known to leave users open to arbitrary
code execution. The one exception is CVE-2010-2204, a remote memory corruption
vulnerability that can cause programs to crash. According to Adobe, arbitrary
code execution has not been demonstrated, but may be possible.