Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Adobe Ships Silent Fix for Critical PDF Reader Flaw



 By: Ryan Naraine
2008-02-06
Article Rating:starstarstarstarstar / 24


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Adobe patched a gaping code execution hole in Reader but, inexplicably, has issued no public documentation on the risk severity.

Adobe has released a software fix for what's described simply as "security vulnerabilities" in its ubiquitous Adobe Reader program, but has not issued public documentation on the risk severity.

The absence of a bulletin with details and severity ratings has raised eyebrows in the security research community.

The patch, included in Adobe Reader 8.1.2, plugs at least one known critical issue that allows rigged PDF files to be used in code execution attacks, says Kostya Kortchinsky, a vulnerability researcher at Immunity.

Resource Library:
Kortchinsky, a penetration-testing specialist who writes exploits for Immunity's CANVAS attack tool, said he reverse-engineered Adobe's patch and found that it silently fixed a stack overflow that would normally carry a "highly critical" rating.

Immunity has already posted a proof-of-concept exploit to its CANVAS Early Updates subscribers.  eWEEK has tested the Immunity exploit and can confirm that it crashes an unpatched Adobe Reader when opened from Microsoft's Internet Explorer browser.

There are unconfirmed reports that this vulnerability is being exploited in the wild to launch drive-by malware downloads.

Inexplicably, Adobe has not yet released a public warning on its Security bulletins and advisories Web site. Adobe officials could not be reached to comment on the absence of an official advisory.

The only acknowledgment from Adobe that the update contains security fixes comes from this KB article that cites "a number of customer workflow issues and security vulnerabilities."

Adobe Reader 8.1.2 is available for Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows 2003 Server, Windows Vista and Macintosh 10.4.3.

According to statistics from Secunia's PSI (Personal Software Inspector), 61 percent of Windows users who use the scanning tool were running vulnerable versions of the Adobe Reader software.

 





  Reader Comments: Adobe Ships Silent Fix for Critical PDF Reader Flaw
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 



x}iw897d).H9%ǚXRI;G m䐔7~_nZ(K=7N$`(ԆB?{{~$rn#Ú=QߣC'Tw>;cOUQ!QQ2dHMs!@ ;hMcbU3CjW>Nየ:':UC.Rc2Z1VecO'cߨ``1\4XC< tϑqK<Ռ%C8GuɷC(DsgM:m˗<7*~U3pb?ʞx5ExLԨ#|xLk9GdYǽg3 (ƻf z92<7S֡*v25vKn@Z #LHȾCFT2퉝ՙd D=DV,v2*-";1ҁm!1k;Mۅ) Ta3c}f5tx%y5ƀc[>!$f&]?ZQNKm5ZN-a5 3P븍T卒^wjy%RWri9ɥ|4S (1N,TX[^C~24/zͫ˫VIz͓V;lM,O!T4"/]i?c[cHբqtqݺhtsEϭfI=w h+?['ZUlxiuH䖺540R\Hj=OIeL}xyd$YΝr 8 !=W<nr"C2qemw"{̎Q5 x}#J>"3E@;- uje +U+ oU: _ToH23Is㶚9j\K=0W5RF  J pJq䠉=z`Mil&XJp;є6`qK0TA0mRu3 .(J"BV3 /r.!}th8yWTws 94u>?tw,-U$Jմ]dpy޾k[itleof[ǫD # EHYf7-vI09갦騕to|57 l"#0Ie{eaи`ι&vo@@[3街#Yѽk:?A&2/?>f}x׵m G7f`so뷺aqh>;Ԃ!~9.Wb&;A/tCt]JINFEEKi@  $hԎar6? ŊQ^IHX-VpD m'8W BH {TKh+G@f:30YIBM&힟ń(VFNH!t0Vn)CX&,t\$m DrNa X(Ka//7]4.KiaE"%tpK].C+DÜU^c$R9+"tѡUP:ʫR us/;]ex %! o@Gu^v6j}{RkJo?z}u:ɥK-ދ)#Z$ c`ײ m@ +RU/5|Y )<:`rYTՒ>΍Ο# Џ]!.Ծ3)X A7+(SӞ̥ϭi~\!'-_k>nD@u.ae @x(8u?fϰ)lXem Rs*}i[*z/R.E׌Lu0ȀNÝ[lȡ5Քkd vOrh#քY[#WX xV IQdC5Ed kCn.I6k*1fS)(b2H+D 3˾CO.ΜqD}K{TUO4iģT3C2y $v=.EЋv}c ]LȦm[2V&\(Jh-[b?8~v:/ϪͦG+{j@'(~ |$DC>,+m4^D\X2Y߈u*/JjAz$pE"k9b iW&}\x&\_sƋbo(Q^b%+Gs;"ʈg b<p{>'F{zɈ4PGԆôWՄθā0O[&qYyVum4dX$5gGFV5XI˴9I-? O tE.ˤCG辶﩮8_A|=>J$R1iymP*f~ܓJƈOZ8 Cɼ' xEn83Ax' vBc8`"GzHXp| ^/}e$ $"z_¨B-*=2a7Z.Wd#99f}i`z}G S -$P{! WAhxa{q6}g]Itu;;$9Cv.zi:rF8q~O8e:A{DΚg0E@?].8{Zj\._ECR8"*!M~l1|˞WMw $(XLp曏ճHW6yDh0\^ < >Ni 8ՇօIsOES:\w9" [.Y G>99o֯ÏM1k&01h$Ǣ8‘s㐆Cg܃aH!oy,F T/Us:TzB_j,49πAãèNن{+^?GOX* 5l~ 2`AQ1@+JF4ZvRfp={"BtX 1uD/b)!Q\(,<\9Qlw>#FE'~Ic X x4~K0wFइgqkF3b~:)}B/M9=1$i!0n1~KP .Mu>7RRJ`"8Q9;6m[=PRشPbv(I;ΰ҇)uyjdJ>!Stl'04L P,O⴬y=!lQ1 i(KihţDlbTHJoO{Y6<6ޥ]晿LVmK$eΖˤ$!ė4 zy) #-|8B[( *VZ\Z-VyʏXI81 <}<\9$gYguOJIbӝe`iY,ix vb;2x;xZ1ݮpnezjo;t =z{j]3Lp)A/ֳ|c9KRbN8Ilkw-hE(V5s)cM:*hՑ=d]YF;p[fvcL*>dO1\jDCk&z}X3?zԯk @[ɰ=DΙ adC%[euw+[c“gD`H@5<éfwfA jl9gntpfU0p1-qbulE;cCƣd۲&ZP|;ߎ9S{K8l R*2Kp1)%ŷ`PBH/4y˭ LdT/U3K[⹏^}b[lQݏo%~<- F̍?4#l, 1y-WŃ&LVW,}`.acf8b9^?tv~ED> +ԣ3Âir e]n$vZ#{@e= *C"!aeQǴّq6{د=@'%tʮSUUJ%{x٘EWzddGk{.="V#/Bw!9qx}a01eX&k`BHL]]+<@ 3Ŝ,=.hue"-ÃNZw>PG| d(Nۦ,p&T)ٜJFjb ߋًZwtutdP}'"%ք6fexTr :=S^fc" Po=ȧ{4LLɛ~n6OӒ˩~Iunۧ<pR ge8bߌxGS<9ɺI]ogk#V\pKJH ӣש=DzR ͎-^ ďgcSe ``b0h]oJPoWbT6`DCԼO}F-vLyx lJ_a-rĤ,KRnƗ"$|'DI7@`u$՞cK }6o)ah9;R Wg"mH>1caxt!O DO؍eߙt4߈ƞum[RBe@]Lkyk0 r[Ap{4!HBQDAÚ.z=T"ZGas*kA1K$E4}nKSGL<2F@ }=JZ$'2?x9vH#Ifw<2{35^Dp}2 Kx?}d,'d[ȧ@q$" ʶW*AC/zw{~~~~~Ϝ/_shfdغLSt[’>R H`5ČnMqӊSK! !p,^<ū XHb-@س`P^W+H_,9דV *Fb ůpTT3M5!p 4!O]`[_ܪJh,M˻zP!L-c l S>0V5z&Uֿ#˺tfҥgoJY&0VCK}_K_,% cJzc d$`j֢_fX +h%"Q0M_ bqX3c Xz["oKK: ]w@)^Bjg|K^/Ym/ Iǥ=:[4xq/2WA}vR0.$o,SPG4;;T4k v7@~Lum|y#o彬?Ǯ/&S,,1^x+ ɘ9^poK)(6i< +6w1i}QN#=%13%Ⱥ#(N`+jj5^ BwM>!akr|F-?xǍE$/]V|%~0.24Ce{(p#(<Iތe3\z1hsq̉Tl/VpV@kcΩZI9z%o RkyKN ߅dc!;[#}CUA2ArCu  *R!Fs1yCaͧ5pwIM13bcC~ll+=߶Moc;bWxmj+LpX8P_q=o7ݙB 57:Uc{3[7OBOSp찄?1{xKt#ZS%԰p-|2I?*̪Dw$qf@\"w<ߢh_-eM)i fKrtȒg29^6&\=ȵ3P]"Ql磑[F^(h\ySww0^ kP_GXLb a-?(vBA!f+o7cg<' cբl5X芅ҵDŽ8 @'}XCcV={wn/~݊Kk2K=ͭ .4~َL݆k4n՜Ot 6gZk[Ѯ#G/o/9W#=^XYrRfmpͬG[PRYIva~X]$ <=LtenxtnP<#bV̯Rυq>+&[Q{Raē`䱇B 0]FhîQbF1.o3N[#;1O񗈫1hY5<1^*R@ȧYIr' .G.W#/?VHxGh݀2swe~qt6#<[23|LɀkP>񖃠jIQt+ߛwӟ{,ȏ%xĶnNKL |9yNb] $B0Ӝh[ ?4ڸ~X;ScɈO`>bJY-)I`R|Wr\gޕa)뱪bo(^ ;Ee$5 =ɕ@ZՌeȘq~/OУ.6#ko[7}3rڹ"urzlU\y;a[+L|쏺Sw;/'/U뢗.hbv>L4m+a9xe AN/&SrߛԚpi.$ "cIw';顱8fԭGaoE_VCİҋc>b^1ȯ7WnWKVTk)hl?gg:^_ H).S޿Ly *~0n0n{@ק a|S9P~V{BuJ@)ugK\8=B2z)A^_~J+%iJySYQzvBEX^๘2"௛Eߗdnle~m]tu CFWX=m ϼdmt\k8F햒a7q_/_xi +{HyHGW48<1X>tnm7S*:UϘ9:RL ?,RKtBc,;'!45EF|jpO4pὍ97p?Ml{>MH$R1iyRT'\!>2ɪ"+eW93mV+*B0XT^9Q(Fuo*!K0>Ҳz!J1 4a֭xK1BDO"׏҉w,[HH˘T͛YȌ(Iu7/ {_A1 1@e^"Զ1*r>`%aoє^\'C N*˗ X֭2YZЩnYԠC ;v=scxíd <@jRۨWy ɐ"9<21wHNP,djcV}`ߣ 0luy9k"zԿ]Fs02&-c ]z6nqCxƍagŕou̸&SDʽnN0p*"ǴC0^m opkd1=k+cNPXz7`x @۾~rh2ݙr$\ktEEבE$&Jhj=Sn=ۢ1aoJW,1{+0‚_IuZdzԤԶ"l.I6=8^0Em+v f\gHA)x߁ARhSqjF߭eh#qM&Ap&.W5b8gK“Jncw[oݽ\)b%:nww[pRӚ,`']i% e'\.Xl=7el%Ku@A ៴:Xl3%^z';qo=G}k_Veń!lYlҪ$3u(V\w|7(6؋|!Og ϽHjO)tFI cQ 1|j7;5, ǎk GGNFp)N<}~=ڢ uK ğopm.;+<1ΪTU||UYANoMV.e~ =-c)0p,\ftGm2` W:̖$_)0pu!{N}r87I )6Y-[ +"ۂK JMˬ:¹"UXJٍb ,~:3&9qSg _((U@Eq'˫@x 6s6@iҕhWɬnQ37] e.pĶ`:Vڕ*ꃺiD1e~}<3g(va",@PFkW5`/9HS^S(Rjã $c ԭ䅨<?_^&?c]'nFQuFڢ®u4M\veѩ&ߩpݼg®,vyXmF\XۙD ya1 g'{y6W=?5zlx8Y}#s!o`YX&5DV3/O BׅѰ0 L{,lyEE%%ÀBFCa 0F [Rj2 1>.Gh<˜4W6IĶqynåmS<"Y8/'L_HTxswI&xk+[Ѐ7H>Y[PE"1u0KN= >`5>gzC%h.&6a]`r8Lte4Q3|JKm)轃ȝkz^4GNDN<<*IDy)V@ȟ$3}E.tqeA= Vt*Nﺽ/ͥFPv.zi:rC*gtK??; Eot[_A}BeFBl4,Dևy*>:.RPD^zhI:F3 Ac.FC"^ֳ/ .A|>ǐy6=xL  8kE z'4mEgL(3rYO*JR۽w:"f/F1ٲMi4PUd%rR++w>c!F0rlǝlt n!%C\&Ův>1ԲAC?}^*