Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Networking
    • PC Hardware

    Adobe Fixes Bugs, Adds JavaScript Whitelisting to Reader, Acrobat

    By
    Fahmida Y. Rashid
    -
    January 10, 2012
    Share
    Facebook
    Twitter
    Linkedin

      Adobe fixed six critical vulnerabilities in its Reader and Acrobat software, including the two zero-day flaws in its 3D rendering technology identified last month.

      The latest update affects Adobe Reader and Acrobat X for Windows and all versions on the Mac OS X, Adobe said in its security bulletin released Jan. 10. Adobe fixed three memory corruption vulnerabilities and one heap corruption vulnerability that could lead to malicious code execution in Adobe Reader and Acrobat 10.1.2 and 9.5. Adobe also included the Adobe Flash Player update from November in this month’s release.

      Adobe fixed the memory corruption vulnerabilities in U3D and PRC components that were discovered by Lockheed Martin‘s computer incident response team last month. The company had issued a security bulletin warning users of the PDF-based attack, but said attackers were only targeting Acrobat and Reader 9 on Windows.

      “These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system,” Adobe said in its advisory.

      While the company released an emergency patch for Reader and Acrobat 9 for Windows in December, the fix for Reader and Acrobat X on Windows and for all versions on the Mac OS X and Linux platforms was delayed to January’s scheduled quarterly update because the enhanced security features provided by the code sandbox in Acrobat and Reader X successfully blocked execution of the attack code in malicious PDF documents.

      Reader and Acrobat X users should check to make sure the security measures are enabled by checking the “Security (enhanced)” section under the program’s preferences menu. The “Enable Enhanced Security” option should be checked, according to Adobe.

      Adobe also added a new feature in Reader and Acrobat that gives administrators the ability to control whether or not to execute JavaScript code embedded in PDF files, Priyank Choudhury, a security researcher with the Adobe Secure Software Engineering Team, wrote on the ASSET blog. Considering most PDF-based attacks use embedded malicious JavaScript code in one way or other, disabling JavaScript across the board would help prevent these types of attacks from succeeding. However, it causes problems for organizations with “workflows that rely on forms and JavaScript,” Choudhury said.

      The new JavaScript whitelisting capability allows administrators to identify trusted documents in which JavaScript can be executed and disabling it for all other PDF documents, according to Choudhury. The decision on whether to trust the document is based on the file’s Privileged Location value. Administrators will be able to add new trusted locations, if necessary.

      The JavaScript lockdown control allows administrators to block all JavaScript execution, except when embedded in trusted documents. It also prevents users from manually enabling JavaScript from the user preferences menu, according to Choudhury.

      Adobe’s update coincided with Microsoft’s Patch Tuesday, and Oracle is scheduled to have its quarterly update on Jan. 17. Combined with the emergency patches released by Adobe and Microsoft last month, January will be a “busy patching month” for IT administrators, said Jim Walter, manager of the McAfee Threat Intelligence Service at McAfee Labs.

      The next quarterly update for Adobe Reader and Acrobat is scheduled for April 10.

      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×