Adobe will fix a slew of security flaws in Reader and Acrobat, including the critical 3D vulnerabilities that were discovered in December, as part of its quarterly update.
will release patches addressing several security issues in Adobe Reader and
Acrobat as part of its scheduled quarterly update next week.
updates will affect Adobe Reader and Acrobat versions X and earlier on both the
Windows and Mac OS X platforms, Adobe said in its advance notification
announcement on Jan. 6. Adobe is expected to make the patches live on Jan. 10,
which is the same day Microsoft is scheduled to release seven bulletins as part
of the January Patch Tuesday release.
updates are considered "critical," according to the advisory.
Administrators will have to keep in mind there are updates from Adobe, Oracle
and Microsoft this month, Wolfgang Kandek, CTO of Qualys, told eWEEK
. Oracle's quarterly update is Jan.
17, a week after Adobe and Microsoft issue their patches.
quarterly updates will include fixes for two vulnerabilities that Adobe
patched on Dec. 16
in the Windows versions of Acrobat and Reader 9 and
earlier as part of an emergency update. "These updates will include fixes for
CVE-2011-2462 and CVE-2011-4369, previously addressed in Adobe Reader and
Acrobat 9.x for Windows as referenced in Security Bulletin APSB11-30," the
company said in the advisory.
have been reports that the memory corruption vulnerabilities in the U3D and PRC
components could lead to code execution attacks that are being "actively
exploited in limited, targeted attacks in the wild," Adobe had warned in
the initial zero-day advisory.
decided to delay the fixes for Acrobat and Reader X as well as for the Mac
versions to speed up the release of the out-of-band patch, Adobe had said at
the time. "The reason for addressing this issue quickly for Adobe Reader
and Acrobat 9.4.6 for Windows is simple: This is the version and platform
currently being targeted," Brad Arkin, senior director of product security
and privacy at Adobe, wrote on the Adobe Secure Software Engineering Team blog.
researchers later found several samples
of attack documents
masquerading as surveys and contracts that had been
sent to defense contractors and partners.
Mode in Reader X and Protected View in Acrobat X have managed to block unsafe
documents from launching malicious code in several different attacks recently.
Adobe has fixed each discovery, but has not had to roll out an emergency patch
for those versions yet, thanks to the built-in sandbox capabilities.
update to address these issues in Adobe Reader 9.x for Linux was planned for
Jan. 10, but was not listed in the advance advisory. Adobe still plans to
update the software on the same day, according to an Adobe spokesperson. The
Linux version did not appear on the prenotification announcement because, in
essence, the Linux update is an out-of-band patch and not part of the overall
scheduled update. The company made the decision to update the Linux version
only twice a year, as opposed to the quarterly updates for the Windows and Mac
versions. The next scheduled update for the Linux version is actually in April,
the spokesperson said.
decision to update every other quarter reflects the absence of attack activity,
Arkin wrote on the ASSET blog in June, when the change was made. "We have
never seen or heard of reports of a real-world malware sample that was
functional or targeted against Adobe Reader for Linux," Arkin said.