Adobe fixed six critical vulnerabilities in its Reader and Acrobat software, including the two zero-day flaws in its 3D rendering technology identified last month.
The latest update affects Adobe Reader and Acrobat X for Windows and all versions on the Mac OS X, Adobe said in its security bulletin released Jan. 10. Adobe fixed three memory corruption vulnerabilities and one heap corruption vulnerability that could lead to malicious code execution in Adobe Reader and Acrobat 10.1.2 and 9.5. Adobe also included the Adobe Flash Player update from November in this month’s release.
Adobe fixed the memory corruption vulnerabilities in U3D and PRC components that were discovered by Lockheed Martin‘s computer incident response team last month. The company had issued a security bulletin warning users of the PDF-based attack, but said attackers were only targeting Acrobat and Reader 9 on Windows.
“These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system,” Adobe said in its advisory.
While the company released an emergency patch for Reader and Acrobat 9 for Windows in December, the fix for Reader and Acrobat X on Windows and for all versions on the Mac OS X and Linux platforms was delayed to January’s scheduled quarterly update because the enhanced security features provided by the code sandbox in Acrobat and Reader X successfully blocked execution of the attack code in malicious PDF documents.
Reader and Acrobat X users should check to make sure the security measures are enabled by checking the “Security (enhanced)” section under the program’s preferences menu. The “Enable Enhanced Security” option should be checked, according to Adobe.
Adobe’s update coincided with Microsoft’s Patch Tuesday, and Oracle is scheduled to have its quarterly update on Jan. 17. Combined with the emergency patches released by Adobe and Microsoft last month, January will be a “busy patching month” for IT administrators, said Jim Walter, manager of the McAfee Threat Intelligence Service at McAfee Labs.
The next quarterly update for Adobe Reader and Acrobat is scheduled for April 10.