Adobe Fixes Bugs, Adds JavaScript Whitelisting to Reader, Acrobat

Adobe fixed multiple security vulnerabilities in both Reader and Acrobat 9 and X for Mac OS X and Windows. The company also added a new JavaScript whitelisting feature.

Adobe fixed six critical vulnerabilities in its Reader and Acrobat software, including the two zero-day flaws in its 3D rendering technology identified last month.

The latest update affects Adobe Reader and Acrobat X for Windows and all versions on the Mac OS X, Adobe said in its security bulletin released Jan. 10. Adobe fixed three memory corruption vulnerabilities and one heap corruption vulnerability that could lead to malicious code execution in Adobe Reader and Acrobat 10.1.2 and 9.5. Adobe also included the Adobe Flash Player update from November in this month's release.

Adobe fixed the memory corruption vulnerabilities in U3D and PRC components that were discovered by Lockheed Martin's computer incident response team last month. The company had issued a security bulletin warning users of the PDF-based attack, but said attackers were only targeting Acrobat and Reader 9 on Windows.

"These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system," Adobe said in its advisory.

While the company released an emergency patch for Reader and Acrobat 9 for Windows in December, the fix for Reader and Acrobat X on Windows and for all versions on the Mac OS X and Linux platforms was delayed to January's scheduled quarterly update because the enhanced security features provided by the code sandbox in Acrobat and Reader X successfully blocked execution of the attack code in malicious PDF documents.

Reader and Acrobat X users should check to make sure the security measures are enabled by checking the "Security (enhanced)" section under the program's preferences menu. The "Enable Enhanced Security" option should be checked, according to Adobe.

Adobe also added a new feature in Reader and Acrobat that gives administrators the ability to control whether or not to execute JavaScript code embedded in PDF files, Priyank Choudhury, a security researcher with the Adobe Secure Software Engineering Team, wrote on the ASSET blog. Considering most PDF-based attacks use embedded malicious JavaScript code in one way or other, disabling JavaScript across the board would help prevent these types of attacks from succeeding. However, it causes problems for organizations with "workflows that rely on forms and JavaScript," Choudhury said.

The new JavaScript whitelisting capability allows administrators to identify trusted documents in which JavaScript can be executed and disabling it for all other PDF documents, according to Choudhury. The decision on whether to trust the document is based on the file's Privileged Location value. Administrators will be able to add new trusted locations, if necessary.

The JavaScript lockdown control allows administrators to block all JavaScript execution, except when embedded in trusted documents. It also prevents users from manually enabling JavaScript from the user preferences menu, according to Choudhury.

Adobe's update coincided with Microsoft's Patch Tuesday, and Oracle is scheduled to have its quarterly update on Jan. 17. Combined with the emergency patches released by Adobe and Microsoft last month, January will be a "busy patching month" for IT administrators, said Jim Walter, manager of the McAfee Threat Intelligence Service at McAfee Labs.

The next quarterly update for Adobe Reader and Acrobat is scheduled for April 10.