Adobe released 13 patches that fix critical vulnerabilities in Reader and Acrobat. Adobe also removed DigiNotar from its list of trusted CAs.
Adobe released more than a dozen security patches that fix vulnerabilities in both Reader and Acrobat as
part of the company's regular quarterly
update. Adobe also updated its list of trusted certificate authorities in the
wake of the DigiNotar breach.
Adobe issued a total of 13 patches
security issues on Sept. 13. The flaws were identified in Adobe Reader X (10.1)
and earlier versions for Windows and Macintosh, Adobe Reader 9.4.2 and earlier
for UNIX and Acrobat X (10.1) for Windows and Macintosh, according to the the security
bulletin. The vulnerabilities could cause the application to crash and
potentially allow a remote attacker to take control of the system.
"The bad news is that most of them could result in the
worst kind of security outcome - remote code execution," said Andrew
Storms, director of security at nCircle. The update was "a 'classic' Adobe
patch" in that there was "very little information" about the
bugs being fixed in the patch, Storms added.
All but one of the patches fixed flaws that could lead to
code execution, including a security bypass bug, three heap overflows, a memory
leakage condition, a use-after-free flaw, a logic error and a buffer overflow
vulnerability. The remaining patch resolved a local privilege-escalation
vulnerability that existed only in Adobe Reader X on Windows.
There were also fixes to the buffer overflow vulnerability
in the U3D TIFF Resource, a heap overflow and three stack overflows in the
image parsing library, and two stack overflows in the CoolType.dll library.
"Adobe categorizes these as critical updates and
recommends that users apply the latest updates for their product installations,"
the company wrote in the security bulletin.
While Adobe recommends users to update to the latest version
of Adobe Reader X, 10.1.1, the company is also offering Adobe Reader 9.4.6 and
Reader 8.3.1 for users "who cannot update to Adobe Reader X," according
to the advisory. Adobe Acrobat 9.4.6 and Acrobat 8.3.1 are also available for
users who can't run Adobe Acrobat X. However, Adobe is expected to end support
for Adobe Reader 8.x and Acrobat 8.x for Windows and Macintosh on Nov. 3.
The quarterly updates also incorporated the Adobe Flash
Player updates that were released Aug. 9. Adobe Reader 9.4.6 for UNIX is
currently scheduled to be released Nov. 7, Adobe said.
Along with the quarterly updates, the company also published
the updated Adobe Approved Trust List (AATL) to remove the DigiNotar Qualified
CA certificate. Adobe Reader and Acrobat X dynamically manage the Trust List
without requiring a full product update or patch, so the applications are fully
protected from potential fraudulent certificates
signed by the Dutch
Adobe Reader and Acrobat 9 require code changes to remove
DigiNotar from the list of trusted certificate authorities, said Wiebke Lips, a
spokesperson for Adobe. The update to Acrobat and Reader 9 will be delivered
"in a future update," Lips said. Until that time, users can manually
remove DigiNotar from the applications.
Google and Apple have already revoked the certificates, Adobe delayed
doing so "at the explicit request of the Dutch government, while they
explore the implications of this action and prepare their systems for
the change," Adobe said.
Adobe is expected to release the next quarterly security
updates for Adobe Reader and Acrobat on Dec. 13.